Week 05: System and User Enumeration

I came across this article today that discussed how banks are aggressively moving towards bio-metric authentication methods while cyber criminals are already coming up and testing ways to defeat these. For the last few years banks have been trying to find another authentication method to protect their pin authenticated ATMs from skimmers. The banks have started to install fingerprint, facial, and palm nerve scanners on ATMs to provide an additional layer of security. Criminals are already implementing ways to fool these scanners. It can be very concerning if your bio-metric security is compromised since you cannot just change it like a password.

It’s a perfect example of how difficult it is to stay ahead of the cyber crime. Bio-metrics technology has been around for quite some time but is just beginning to be rolled out for this use and we already have to determine what’s next from here.

http://www.darkreading.com/bank-systems-and-tech/biometric-skimmers-pose-emerging-threat-to-atms/d/d-id/1326987?

I posted an article about how SWIFT was going to start punishing their customer banks by disclosing the bank’s security gap in order to get them to comply. Well it looks like SWIFT is now trying to provide these banks with data reports to “supplement its customers’ existing fraud reports.” These reports include an Activity Report and Risk Reports. It will contain “a snapshot view” of the day’s “messaging activity against which to detect unusual pattern.” Basically, these reports will contain the “messaging activity” data for the bank, and it will be compared to the data currently in the bank’s system. If there is a large discrepancy between the bank’s data and the report that SWIFT sends them, their might have been a cyber attack that altered that banks data. I don’t know if these reports will be any effective, but I guess its a start. By the time the reports show any abnormal pattern, the bank could have already lost millions of dollars due to a hack.

http://www.securityweek.com/swift-moves-combat-inter-bank-fraud

 

 

Brian Krebs is a reporter who does stories on cyber attackers that attack for profit.  In his line of work, he is often subject to several threats.  He has had SWAT teams show up at his house before, and death threats in the form of flowers.  Most recently, his website was the subject of a DDoS attack, sending 600-700 gigabits per second of internet traffic.  The security company protecting his site, Prolexic, had to stop supporting his website because it was the subject of so many attacks.  His site is now back up and running with Google’s Project Shield.  It is meant to protect activists from DDoS attacks.  Hackers are using unsecured devices from the Internet of Things, (IoTs) to launch this attacks.  A botnet of 25,000 CCTV cameras was being used to launch attacks across the world.

 

http://www.forbes.com/sites/thomasbrewster/2016/09/25/brian-krebs-overwatch-ovh-smashed-by-largest-ddos-attacks-ever/#14c6c9eb6fb6

Chief Information Officers should start making sure that mobile devices on their network as secure as possible. In this article Larry Dignan, describes that the biggest threat to corporate security stems from employees bringing their own devices on the network. Its not necessarily the devices that aren’t secure its the people that own the devices that are negligent. Many people still do not have PIN codes on their devices and if users were to open spam on their phone many devices automatically download messages in their entirety allowing for malware to  install itself. CISOs must implement BYOD policies and enforce mandatory PIN codes and software that allows remote wiping if a phone were to be lost. Since the internet of things is become more prevalent people need to be aware that the more devices they have connecting to the internet the more vulnerable they are. Dignan says that devices should have auto-lock enabled, should be kept within sight at all times and to have auto-discover Bluetooth turned off. This is some of the advice he gives to securing devices in an organization. He also states that malware will get more significant in the years to come as more and more devices become available to hackers on the internet.

Article: https://hbr.org/2016/09/your-biggest-cybersecurity-weakness-is-your-phone