University Times

U.S. Attorney for the Western District of Pennsylvania David Hickton outlined new tactics in fighting cybercrime while hacking expert Dave Kennedy showed how vulnerable we are in a cybersecurity symposium hosted by Computing Services and Systems Development (CSSD) as part of National Cyber Security Awareness Month.

Law enforcement’s response to cyber crime

“You’ve probably all been hacked at one time or another,” Hickton said in the Oct. 21 session at the William Pitt Union. “The attacks are coming with fury and frequency and persistence.”

The Internet, ubiquitous and necessary for nearly all communications, also is indispensable to industrial control and organizational systems, here and around the world.

It also “is a great highway for crime,” Hickton said.

Cybercriminals use the Internet in human trafficking or exploitation of children, said Hickton. “It can be used to disrupt our infrastructure and disable our economy by nation-states that would do us harm.

“It is most often used today by small groups of organized criminals who go on the Internet, hack into your systems and take your data — whether it’s your credit card or Social Security number  — and steal from you.”

It may be used by individuals who want to disrupt an organization, or groups that would like to call attention to themselves. “And sadly, as we deal with the problem of community violence, we’re increasingly tracing our targets through social media and the Internet and dealing with the narco-gun gang problem,” Hickton said.

*

Pittsburgh figures prominently in the fight against cybercrime not only because of the priority Hickton’s office places on these crimes, but also because of the nearby FBI presence on Pittsburgh’s South Side and such public-private entities as the Department of Homeland Security’s CERT (Computer Emergency Response Team) partnership with Carnegie Mellon and the National Cyber Forensics and Training Alliance.

Hickton said the Pitt bomb threats in 2012 cemented his office’s reputation as cybercrime-fighting experts.

“It was really this case where we established ourselves in western Pennsylvania as a place that could really solve the difficult thorny problems.”

In what he said was an unprecedented move, Hickton activated the Joint Terrorism Task Force in response to emailed bomb threats that forced multiple evacuations on campus.

And with the help of federal, state and local law enforcement as well as CSSD and law enforcement overseas, Scottish separatist Adam Busby eventually was identified as the perpetrator.

“We did not know when we started who he was, where he was. And much of what he was doing was insulated by the fact that it didn’t come to Pitt directly, it didn’t come to us directly, it came to a newspaper website… and his IP address was anonymized.”

Hickton said, “Not only was this an important case to deal with, with Pitt as a victim, but I thought it was an important case in terms of whether we were going to have a safe and civil society.”

Along with Busby’s threats came YouTube threats from a pair of Ohio hackers purporting to be from the hacktivist group Anonymous. “We quickly solved this case,” Hickton said, because the two had left on their iPhones the app that provided the evidence that they had done this.

Busby, who remains in Ireland under supervised release, faces charges there and in Scotland, Hickton said. “We are still trying to extradite him to bring him to justice here in Pittsburgh.”

*

Attacks on businesses are on the rise. In just the past two years, federal law enforcement has investigated such cybercrimes as a denial of service attack on PNC Bank, and attacks on AT&T  and retailers including Target, Home Depot, Michael’s and others.

“We’re analyzing these attacks and working with companies to try and identify who the perpetrators are, what they’re trying to take and what we can do about it.”

Only this year did they begin using the criminal justice system as a tool, he said, initially against members of China’s army intelligence unit, which hacked into Pittsburgh-based companies to steal sensitive commercial information to benefit competitors in China. “This charge, which was brought this May, was the first time ever the government used the criminal justice system to challenge this behavior,” Hickton said. “We’re ultimately going to bring them to justice and we’re committed to bringing them to justice here.”

Although this hacking has stopped since the charges were brought, “That doesn’t mean that the problem of computer intrusions by nation-states is over.”

In June, federal law enforcement indicted “perhaps the most notorious computer hacker in the world,” Russian Evgeniy Bogachev, author of the Zeus malware and its third-generation variation GameOver Zeus as well as the CryptoLocker ransomware.

“We both used the criminal indictment of Bogachev as well as an injunction from the court on a civil complaint, and we took down GameOver Zeus and CryptoLocker,” he said. “Our indictment against Bogachev has been lodged and we’re using every legal and diplomatic means to bring him to justice.”

*

“We are definitely at risk if we don’t take steps to protect our critical infrastructure,” Hickton said, citing the Stuxnet worm, which attacks industrial control systems, as another danger. “A motivated and capable hacker can attack the industrial control system remotely,” disrupting one or more manufacturing plants.

Cyberattacks represent the greatest threat to security no matter what the criminal actor’s intent, Hickton asserted.

“The Internet is today’s highway. It is a pathway for almost any manner and measure of crime that we deal with. It is relevant in every case we handle today and I think it will be central to every case we handle tomorrow,” he said.

The hacker threat

“Right now we’re seeing attackers flooding in from all types of demographics,” with attacks coming from hacktivists, state-sponsored or government entities, or organized crime operations, said computer security consultant and hacking expert Dave Kennedy.

“There are a lot of things hackers are going after because it’s profitable for them.”

When it comes to protecting your Social Security number, “It’s already out there,” he said. “It’s just a matter of whether or not it’s being used fraudulently.”

With the advent of electronic medical records, hackers now are targeting lucrative personal health information (PHI), stealing thousands or hundreds of thousands of records at a time, to sell for use in fraudulent activity.

Hackers are zeroing in on the United States when it comes to stealing credit card information because most cards here still use unencrypted magnetic stripe technology while other nations have moved to more secure European Mastercard Visa (EMV) smart card technology.

The U.S. transition to the more secure chip cards is expected by 2015. “Until we move to that, we’re going to see large breaches here,” he said, recommending Apple Pay or Google Wallet as alternatives to credit cards.

*

Hacking isn’t hard. “It’s not the sophisticated crazy stuff we have to deal with anymore. You Google ‘how to hack into somebody’s computer’ and the first three results will tell you how to do it,” Kennedy said.

“It’s crazy how fast you can break into someone’s computer,” even if they’ve taken security measures. In a segment on the Katie Couric show, Kennedy demonstrated how he created a realistic-looking but malicious website then sent the link in an email to his “victim” who had agreed to the security test.

As he expected, she unwittingly clicked on the link, which gave him access to her home computer. He enabled her webcam, allowing him to see and hear what was going on at her home. He also was able to view her family’s banking and medical records and other personal information.

“It took me 10 minutes.”

*

The most common attacks target you, the user. “You are the easiest way for me to break into an organization, because human beings make errors,” he said.

When attempting to hack an organization, he said, “It’s very easy for me to generalize something and send it to everybody in this organization to do it,” perhaps sending a link to a bogus site that purports to come from the company’s benefits department.

Companies have firewalls and intrusion detection systems. “Why fight millions of dollars of investment when I can just go over all of that and hack you?” And, once one member’s PC is infected, a hacker will use it as an entry to other systems on the network, he said.

“One person can be the downfall of an entire company,” he said, adding that the Target breach affecting 40 million credit and debit cards stemmed from a third-party HVAC system company that was hacked. “It’s that easy.”

Social engineering factors into targeted attacks, he said. If a hacker’s attempt appears believable, not setting off a reason for distrust, it’s likely to succeed. “As a hacker I can manipulate the ways that you behave on a regular basis. That’s what we do, because we know how you think.”

Avoiding ploys

• People often avoid reporting suspicious looking emails for fear of appearing dumb. “If it doesn’t look right, you’ve got to report it,” he urged. Just send a simple email: “Is this legit?” to your IT help team. “People will respond.”

• Look at the sender of your mail: Is the message coming from a legitimate email address?

• If it sounds too good to be true, it probably is. Don’t believe that your friend is trapped in a foreign country and needs you to wire him $500.

• “When you hover over a link and click on it, make sure you’re actually at that website: Look at the top at the URL bar.” It only takes a second to look up to ensure you’re at the site you intended.

“Think before you click,” he said, acknowledging that’s easier said than done.

Software advice

Antivirus software catches only 2-4 percent of viruses, and an estimated 14.2 million viruses are created per day, Kennedy said, recommending against paying for antivirus software. “It’s not worth it anymore,” and free is just as good, he said. Windows 8 has a built-in antivirus and Microsoft Security Essentials is available for Windows 7 and below.

Kennedy recommended downloading Microsoft’s free EMET (enhanced mitigation and experience toolkit), a Windows tool that watches for predictable methods of hacker attacks.

Uninstalling unnecessary software is another way to minimize possible points of attack.

“As a hacker, there are certain things I know you have on your computer … If I can hack those programs I know I can have access to your computer,” he said. Java is especially vulnerable, he said, adding that most people have it, but many don’t need it.

Strengthening account security with two-step verification or two-factor authentication offers additional protection in case of a hacked password, Kennedy said. And, password managers such as KeePass or 1Password store passwords in an encrypted vault, with only one password to remember.

In addition to keeping a watchful eye — “You have to be monitoring your bank accounts for fraudulent activity,” he said — Kennedy recommends services such as LifeLock that provide insurance against identity theft.

*

Hackers are continuously becoming more sophisticated. “These people are making millions and millions and millions of dollars,” he said.

“Don’t go with pitchforks and torches to the security team” when they implement more difficult computer security changes, Kennedy said. “They’re trying to protect you and stay ahead of the hackers.”

—Kimberly K. Barlow