Category Archives: Case Studies
For Your Eyes Only
Whilst reading an excellent article this morning in The Age ‘Keeping Out Smart Phone Snoops, by Brian Chen I noted the underlying theme of his article was locking your smartphone, where the article clearly stated: ‘One of the easiest ways to add a layer of security to your smartphone is requiring a password to get past the initial lock screen’.
Having read the article and agreeing with its range of valuable tips on protecting your data in your smartphone, I thought it prudent to bring to subscribers of Cyber Guardians Online the background of a common criminal activity known as ‘Shoulder Surfing‘ that surfaced in the early 1990′s.
I personally came across shoulder surfing as a Federal Agent, where as one of the inaugural members of the newly formed Computer Crime Unit in Sydney, a significant file came across my desk involving an Australian traveling on business in New York City and coming home to a home phone bill in excess of $2 Million. It was early in the 1990′s, pre mobile phones, where travelers could opt to link a home phone account to a ‘Calling Card‘. Calling cards were great, go to any phone in the world, call a local dedicated number and either tell the operator or on some occasions just key in your calling card number and personal identification number (PIN) to make a call anywhere and have it recorded on your home phone bill.
One major problem back then was that phone companies did not have safeguards built in to detect simultaneous calls from the same calling card that were being made from various locations around the globe and as such fraud was rife. The manner in which the fraud was conducted was quite simple, all one had to do was obtain the calling card number and PIN and all calls were made at the account holders expense.
Free international phone calls in a multicultural city like New York City was a commodity that was extremely valuable on the black market, where a person with just one calling card number and PIN could on sell the details hundreds of times a day usually for $20 and of course the purchaser of that calling card number and PIN would also then on sell the details as well. Furthermore, the illicit transaction could be guaranteed with all parties ‘testing’ the cards validity at a local phone box.
Obtaining the Account Number and PIN
As you could imagine obtaining calling card details became very lucrative and this is where criminal enterprises resorted to some basic surveillance 101 tactics of which I will refer to here in dot point form:
- Standing behind the person at the payphone and memorizing the persons account number and PIN (clearly an apprentice card counter in the making)
- Using telephoto lenses and video taping persons entering personal details into the payphone
- Standing close by or on the other side of the row of payphones in airports, bus interchanges and railway stations and writing down account details and PIN’s as customers spoke to a calling card operator.
As you can see it was not that hard to obtain such personal details and turn a simple few numbers into a positive cash flow operation within minutes and generally the card would remain active until the unsuspecting victim received a telephone bill he/she could not jump over.
Yes, phone companies became smarter over time and introduced safeguards similar to what banks have in place now with ATM card transactions. However, the above scenario was the breeding ground for producing ‘Shoulder Surfing’ experts who now operate with a view to obtaining your mobile/cell phone after securing your PIN from Shoulder Surfing.
Locking Your Phone Is Not Enough
Hence the underlying theme of this post is to warn you that locking your phone with a PIN is your first level of defense, your PIN needs to protected with vigilance. How many times do you sit in the open and enter your PIN without covering your actions whilst:
- At Bus/Train stops?
- On public transport?
- At bars/cafes?
- Walking along crowded streets?
- Opposite a work colleague?
Furthermore, how many of you have your mobile/cell phone PIN’s set the same as your bank ATM cards? Surprisingly a high majority do so and this opens a whole new Pandora’s box, with ATM and credit card fraud.
All it takes is for the person who has acquired your phones PIN code to obtain your phone and ATM cards either through pickpocketing, bag snatch and or surveilling you home or to work and obtaining your phone and cards where at times you may not notice the theft until the morning or at the end of your workday. The domino effect can lead to your suffering severe financial loss as banks are reluctant to reimburse funds to persons who do not protect PIN numbers.
Finally what other data is stored on your phone as The Age article highlighted and as indicated here in this post, crime gangs the world over have had years to perfect the simple art of ‘Shoulder Surfing’ and it is re-emerging as a criminal activity that will capitalize on unsuspecting citizens going about their daily business.
The Age, Chen, B., Sunday April 5 2013,
The internet and the current phenomenon of social media has changed the way we communicate, do business and even socialize, it is a paradigm shift that society has embraced at such speed and ease that rarely a moment goes by in a civilised nation where such technology has not impacted each and every person.
The way in which social media flourishes is that it requires engagement and ‘engagement’ is encouraged by ‘sharing’, and ‘sharing’ comes in various forms whether it be via Facebook’s or LinkedIn ‘Likes’ or actual ‘sharing’ buttons, to sharing the mobile App you have downloaded via a ‘share’ button.
Sharing introduces a whole new realm to how we perceive trust. Studies have shown that the majority of the figures below are a result of people ‘sharing’.
- In one day on the Internet:
- Enough information is consumed to fill 168 million DVDs
- 294 billion emails are sent
- 2 million blog posts are written (enough posts to fill TIME magazine for 770 million years)
- 172 million people visit Facebook
- 40 million visit Twitter
- 22 million visit LinkedIn
- 20 million visit Google+
- 17 million visit Pinterest
- 4.7 billion minutes are spent on Facebook
- 532 million statuses are updated
- 250 million photos are uploaded
- 22 million hours of tv and movies are watched on Netflix
- 864,000 hours of video are uploaded to YouTube
- More than 35 million apps are downloaded
- More iPhones are sold than people are born
As we know ‘sharing’ brings trust, loyalty and generally out of this comes relationship development, whether personal or professional and in turn it is here vulnerabilities may emerge.
Recently the media has been awash with not only industrial cyber espionage reports but of a major issue facing the internet community and that is ‘country sanctioned’ cyber espionage and or attacks.
History may one day reveal that as the United States fretted over the possibility of a “cyber Pearl Harbor” – a catastrophic attack that would take down electrical grids – its economic lifeblood was being slowly drained away by a massive hacking enterprise located in the People’s Republic of China. (Magnuson, 2012)
Cyber Command Commander Army Gen. Keith Alexander last year called the cyber-espionage being conducted against U.S. companies the largest transfer of intellectual property from one nation to another in the history of the world. (Magnuson, 2012)
Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said the nation is not as focused on intellectual property theft as it should be. A catastrophic cyber war is important to prepare for, but an unlikely scenario. Stealing data important to the nation’s economic security, meanwhile, is occurring here and now. (Magnuson, 2012)
We all have seen them on our travels or have had friends bring back ‘knock offs’ from trips to Asia, watches, handbags, sunglasses, fashion items even IPHONEs and computer software. All produced with such high quality similarities that it is hard at times to distinguish the ‘fake’ from the real item.
The proliferation of the internet and its related activity has allowed for ‘copying’ to occur at a rate that cannot be controlled or monitored. The aforementioned figures identify the staggering internet traffic and streaming that is taking place on any given day.
Experts describe a large, technologically advanced and well organized enterprise coming out of China that is going after businesses large and small. Any firm that has a trade secret, or could be used as a stepping stone to a larger company, is a potential target. Intellectual property theft has the potential to erode a company’s profits or even bankrupt it. There is no magical software that can stop every intrusion attempt, but even companies with few resources can take steps to mitigate the risk, experts told National Defense. (Magnuson, 2012)
To thwart the Chinese cyber-espionage enterprise, it is important to characterize it. In the world of network security, it was once called the “advanced persistent threat.” But government officials have done away with using that euphemism: it’s China, they now say. The October 201 1 “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace” report, produced by the FBI‘s office of national counterintelligence executive, acknowledged that the attacks came from China, but stopped short of blaming the Chinese government, which routinely denies involvement. (Magnuson, 2012)
Jason Lewis, chief technology officer of Looking Glass Cyber Solutions, said, “In general, when you have a situation where the state runs everything, you have to assume that the state is involved in any enterprise.”
In country “scouts” doing the reconnaissance are increasingly using social media websites to gather personal information to use in phishing attacks, said Dave Papas, chief operating officer of Cyveillance, a subsidiary of QinetiQ North America that provides security for Fortune 500 companies. (Magnuson, 2012)
Friends, hometowns, hobbies, anything that can be placed in the email to make the target believe it is a legitimate message, can be used and every piece of information is a means to an end.
It was recently reported in the Australian Financial Review that an “…Australian chief executive was travelling in China recently when he received a curious email from his adult daughter asking if “Daddy” was having a good time. But it wasn’t his daughter who had sent the email…” (Grigg, 2013) It was a ‘phishing’ attack to penetrate the chief executives lap top and such a line in the email idicates the logistical efforts of a well resourced and technologically advanced team to not only hack into the executives daughters email but to establish his travel movements and the like. Had it not been for the executive being alert and realising that his daughter had not called him ‘daddy’ for a long time, the attempt by the perpetrators failed on this occasion.
This attack is a clear example of an attack that attempts to infiltrate a network in the form of an phishing email, a well-crafted letter that seemingly comes from a friend or business associate. This tactic has not changed in years, but is growing more sophisticated and frequent. Why? Phishing attacks work and, “it is a lot easier to control humans than the technology,” said Rick Doten, vice president of cybersecurity for DMI, a firm that does work for the U.S. government. (Magnussen, 2012)
This example clearly, supports that we must not count on it being written in anguished English like the common scam letters purportedly originating from Nigerian princesses as it is common place now that native speakers of English are helping compose the phony emails.
Once an attachment or a link to a fake website is opened, specialists in moving around a network without being detected take over and probe for other vulnerabilities. This may mean taking over an email account in order to generate more trusted, fake emails as most likely would have bene the case with the example identified in the Australian Financial Review.
It is well founded that smaller companies, particularly in the defense industrial base, may be used to go after bigger companies – big prime contractors – higher in the food chain. Once the cyberspies have located the information they want, another team takes over to exflltrate it. It is ideally ferreted away in normal traffic without being detected. (Magnussen, 2012)
Open source defence journals have reported the following:
- A US company has identified an organisation in China that it says is responsible for stealing hundreds of terabytes of data from US government organisations and companies
- According to the company, the organisation receives direct funding from the Chinese government through a PLA department called Unit 61398
China is conducting a campaign of sustained and persistent state-sponsored hacking by an organisation referred to as Advanced Persistent Threat 1 (APT1), according to a report from US cyber security company Mandiant that was released on 18 February.
The report, entitled ‘APT1: Exposing One of China’s Cyber Espionage Units’, details wide-ranging hacking activities that Mandiant has traced back to China. It focuses on a particular series of cyber security breaches and intrusions carried out against at least 141 victims from 2006, all of which Mandiant has attributed specifically to APT1. According to the report, “hundreds of terabytes” of data have been stolen in these attacks.
Mandiant concludes that APT1 is able to carry out such sustained and extensive hacking activities because it receives direct government backing. It names the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s 3rd Department, or Unit 61398, as the organisation behind this activity. This group is also informally referred to as Comment Crew or Comment Group. Mandiant states the allegations are based on its own forensic analysis of similarities in the characteristics and geographical sources of hacking activity.
Comment Crew’s activities were traced to the Pudong New Area of Shanghai, where Unit 61398 is believed to engage in computer network operations. Mandiant said Unit 61398 is staffed by “hundreds, if not thousands” of people that have undergone cyber training and are proficient English speakers. Of the victims tracked in the Mandiant report, 87% are headquartered in countries where English is the native language.
Andrew Beckett, head of cyber security consulting at Cassidian, told IHS Jane’s that “the Mandiant report provides no surprise to those involved in cyber security and this should provide a wake-up call to industry and governments. Comment Crew are one of many groups Cassidian know of that are operating in this area”.
China’s Ministry of National Defence rejected Mandiant’s findings. “The Chinese military has never supported any kinds of hacker activities, so saying that the Chinese military is involved in internet attacks is neither professional nor consistent with the facts,” it said in a statement released on 19 February.
However, I recall from one of my lectures in my Masters of National Security, from American Military University that China allegedly has in excess of 50,000 persons engaged in ‘internet espionage at any one time.
So, next time you get that ‘friend’ request or you ‘like’ or ‘fan’ a page in Facebook or in any other form of social media or email, always remember that ‘friend’ or ‘like’ could be just be a foreign spy……
Grigg, A, 2013, ‘Australian Execs Among Those Hacked In China’ The Australian Financial Review, 26 January 2013.
Magnuson, S. (2012). Stopping the chinese hacking onslaught. National Defense, 97(704), 26-28. Retrieved from http://search.proquest.com/docview/1026586020?accountid=8289
Social Skinny, 2012, http://thesocialskinny.com/100-social-media-mobile-and-internet-statistics-for-2012/