Monday, July 25, 2016

Cybersecurity Threats to Organizations


The threat of cybersecurity hacking in organizations, corporations, and enterprises of every type is much greater than most people are aware. Law firms face an exponentially greater risk due to the fact that in addition to the firm’s own vulnerability, their clients’ information is also at risk.

The recent hack of the Panamanian law firm Mossack Fonseca and release of the so-called “Panama Papers,” should be a wakeup call for all law firms. The information exposed in the Panama Papers consisted of 11.5 million pages describing the formation of 214,000 offshore entities for more than 14,000 clients. The exposure could result in financial ruin for some people and has already instigated the resignation of Iceland’s prime minister.

Surprisingly---or perhaps not so surprisingly given the ubiquity of smart phones----the greater vulnerability exists not in legacy client-server systems but in mobile devices facilitated by the use of social media. Cybersecurity guru John McAfee describes how he would hack a digital wallet and empty its contents using a smart phone and social media:

“I will give you an example: Suppose I wanted to entirely empty a person’s [cyber] wallet. Let’s further assume that the wallet is located on a smart phone or other general purpose computing device. In order for the wallet to be used, the device in question must have access to the Internet. These are the only conditions needed for me to empty the wallet, irrespective of the wallet used, whether Myceleum, Samurai or any other software wallet available.

Here’s how I would do it:   I would first plant readily available spyware on the device. I could plant it through an email phishing scheme, or by inducing you to visit a website (A website drive-by is sufficient to set the “download unauthorized applications” flag on Android for example. A subsequent click-through would plant the malware), or using any one of hundreds of other means. If the person owning the wallet was immune to all attempts (extremely rare), then I would use readily available hardware “push” systems and force the malware onto the device from a distance of up to a quarter or a mile away from the device.

Once the malware was installed, it would identify which cybercurrency wallets were being used on the device and log that information. It might also transmit that information to the hacker controlling the malware. It would then install a key logger and a keystroke intercept routine and, possibly, a selective screen capture that captured only the opening screen of the wallets when the wallet applications were executed. This single screen capture, in most cases would contain the amount of the wallets contents. I would need this amount in order to completely empty the wallet. The screenshot would be sent to me at some point. The malware might also contain a “power off simulator” so that after the user believes they have turned the phone off for the night, it is really still “on” but pretending to be off. That way I could empty the wallet while the user was sleeping and would be guaranteed many hours before the user noticed that his wallet was empty.

After the user goes to sleep, I would activate the malware. The malware would execute the wallet app and click the “send coins” button, using the keyboard intercept routine. It would then input my wallet transaction ID, and enter the amount that I had communicated to the device. I would know the amount from the opening screenshot that had earlier been sent to me.

If the wallet required a pin number in order to complete the transaction, I would then wait until the user uses the wallet themselves. My keystroke logger would then give me the pin number. The following night I would have the malware enter the pin number and then complete the transaction as described above.

If the designers of the wallet were clever enough in designing the wallet, I might have to include a software “root” routine, of which hundreds are available, in the malware. Once rooted, I would override whatever keyboard and screenshot precautions had been taken and again proceed as outlined above.

This is just one of many techniques that could be used. All of the malware could be built in a matter of a few hours using off-the-shelf hacker toolkits.”

Solutions to cybersecurity challenges promise to be the “Next Big Thing” in technology development. New companies are popping up all over the horizon to deal with the multifaceted threats which can be anything as simple as denial of service to complex attacks such as that which destroyed the privacy of 14,000 Mossack Fonseca clients’ data.

No comments: