Wednesday 20 November 2013

Feds Charge Calif. Brothers in Cyberheists

Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages.
Photo: Fresnorotary.org
Adrian, left, and Gheorghe Baltaga (right). Photo: Fresnorotary.org
Taken into custody on Oct. 29 were Adrian and Gheorghe Baltaga, 25 and 26-year-old men from Moldova. Documents unsealed by the U.S. District Court for the Northern District of California laid out a conspiracy in which the brothers allegedly stole login credentials for brokerage accounts of Fidelity Investments customers, and then set up fraudulent automated clearing house (ACH) links between victim accounts and prepaid debit card accounts they controlled.
From there, according to the government, the men then used the debit cards to purchase money orders from MoneyGram and the U.S. Postal Service, which were deposited into different accounts that they could pull cash from using ATM cards. An attorney for the Baltaga brothers did not respond to multiple requests for comment.
According to interviews with investigators, the Baltaga indictments (PDF) reveal surprisingly little about the extent of the cybercrimes that investigators believe these men committed. For example, sources familiar with the investigation say the Baltaga brothers were involved in a 2012 cyberheist against a Maryland title company that was robbed of $1.7 million.
In April 2012, I was tracking a money mule recruitment gang that had hired dozens of people through bogus work-at-home jobs that were set up to help cybercrooks launder funds stolen from hacked small businesses and retail bank accounts. One of the mules I contacted said she’d just received notification that she was to expect a nearly $10,000 transfer to her bank account, and that she should pull the money out in cash and wire the funds (minus her 8 percent commission) to three different individuals in Ukraine and Russia.
The mule said she’d been hired by a software company in Australia, and that her job was to help the firm process payments from the company’s international clients. This mule told me the name of her employer’s “client” that had sent the transfer, and a Google search turned up a Washington, D.C.-area title firm which asked not to be named in this story out of concern that company’s competitors would use it against them.
Baltaga residence in Fresno.
Baltaga residence in a Fresno gated community.
That title firm was unaware of it at the time, but fraudsters had recently installed the ZeuS Trojan on an employee’s computer and were using it to send wire transfers and ACH payments to money mules and to bank accounts controlled by the bad guys. In many cases, victim companies will react with hostility when alerted to such crimes by a reporter, but in this case the company quickly contacted their bank and discovered that the thieves had already pushed through more than $700,000 in fraudulent wires and ACH payments. Just minutes before I contacted the title firm, the crooks had initiated a fraudulent wire transfer of $1 million.
The company and its bank were ultimately able to block the $1 million wire and claw back about half of the $700,000 in wires and fraudulent ACH transfers. The firm and its bank seemed doomed to battle it out in court over the remaining amount, but earlier this year the two sides reached a confidential settlement.

The Baltaga brothers were charged with wire fraud, conspiracy to commit bank fraud and wire fraud, aggravated identity theft, and aiding and abetting. If convicted, the two men also stand to lose the 5-bedroom, $800,000 home they purchased together in Fresno.
If you operate a small business in the United States and are banking online, please take a moment to read this piece: Online Banking Best Practices for Businesses. Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves. As a result, organizations can be held responsible for any losses due to phishing or account takeovers.

Cupid Media Hack Exposed 42M Passwords

An intrusion at online dating service Cupid Media earlier this year exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays, according to information obtained by KrebsOnSecurity.
The data stolen from Southport, Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.
The purloined database contains more than 42 million entries in the format shown in the redacted image below. I reached out to Cupid Media on Nov. 8. Six days later, I heard back from Andrew Bolton, the company’s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.
“In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts,” Bolton said. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
 A redacted screen shot showing several of the stolen user accounts. Passwords were stored in plain text.
A redacted screen shot showing several of the stolen user accounts. Passwords were stored in plain text.
I couldn’t find any public record — in the media or elsewhere — about this January 2013 breach. When I told Bolton that all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have “illegally accessed” some of the company’s member accounts. He also noted that “a large portion of the records located in the affected table related to old, inactive or deleted accounts.”
“The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.
The company’s Web site and Twitter feed state that Cupid Media has more than 30 million customers around the globe. Unfortunately, many companies have a habit of storing data on customers who are no longer active.
Alex Holden, chief information security officer at Hold Security LLC, said Bolton’s statement is reminiscent of the stance that software giant Adobe Systems Inc. took in the wake of its recently-disclosed breach. In that case, a database containing the email and password information on more than 150 million people was stolen and leaked online, but Adobe says it has so far only found it necessary to alert the 38 million active users in the leaked database.
“Adobe said they have 38 million users and they lost information on 150 million,” Holden said. “It comes to down to the definition of users versus individuals who entrusted their data to a service.”
31 million Cupid users registered with a Yahoo, Hotmail or Gmail address. 56 Homeland Security Dept. employees were looking for love here as well.
31 million Cupid users registered with a Yahoo, Hotmail or Gmail address. 56 Homeland Security Dept. employees were looking for love here as well.
The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address. Indeed, Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.
Holden added that this database would be a gold mine for spammers, noting that Cupid’s customers are probably more primed than most to be responsive to the types of products typically advertised in spam (think male enhancement pills, dating services and diet pills).

Bolton adopted a softer tone in the second half of his email, indicating that the company may not have understood the full scope of the intrusion.
“Since you have now provided additional information we now have a clearer picture of what transpired back in January,” Bolton wrote. “We are currently in the process of double-checking that all affected accounts have had their passwords reset and have received an email notification.”
Bolton continued:
Subsequently to the events of January we hired external consultants and implemented a range of security improvements which include hashing and salting of our passwords. We have also implemented the need for consumers to use stronger passwords and made various other improvements.
We would like to thank you for bringing this issue to our attention and I can confirm that we are committed to investigate this matter further and make any additional improvements still required. Protecting our customer’s privacy and data is important to us and we will continue to make additional investments in improved security for our members. We sincerely apologize for the inconvenience this has caused our members.
It is entirely likely that the records I have seen are from the January breach, and that the company no longer stores its users’ information and passwords in plain text. At least Cupid Media doesn’t send your password in plain text when you request a password reset, like far too many other companies do. It’s also remarkable that a company with this many users would not have seen this coming. Back in Feb. 2011, I broke a story that received considerable media attention; it was about a hack that exposed some 30 million customer records at Plenty Of Fish (pof.com), an online dating service that also admitted to storing its users’ passwords in plaintext.
In any case, since I didn’t have to crack any of the passwords, I thought it might be useful to have a look at the top passwords used by Cupid Media customers. It seems that many Cupid users did not place much value in their accounts when picking passwords, because a huge percentage of them chose downright awful passwords. By my count, more than 10 percent of Cupid’s users chose one of these 10 passwords:
cupidtop10
The top 10 non-numeric passwords are probably typical for a dating site, but still horrible nonetheless:
cupidnonn

F-Secure Offers Lifetime Security

Calendar
There's a trend among security companies to offer super-wide protection that covers all of your devices. A subscription to McAfee LiveSafe, for example, lets you install protection on every Mac, PC, and mobile device in your household and monitor them all from a single location. Symantec and Kaspersky offer similar packages, though their subscriptions cover a fixed number of devices. Today, F-Secure announced an offer that's expansive in a different direction.
Rather than cover all your devices for one year, the F-Secure Internet Security PC Lifetime License covers one PC for its entire lifetime, which F-Secure defines as seven years. Users will get the exact same protection offered by F-Secure Internet Security 2014, updating to all new versions that appear during the seven-year subscription. It's definitely a novel approach.
Laptops Under the Tree
There are some limitations you'll want to be aware of. First, this is a limited-time offer, lasting only until the end of January in 2014. That makes sense; F-Secure's aim is to have you install the product on that brand-new computer you got as a holiday gift. They point out a study by the Consumer Electronics Association that reports 74 percent of consumers plan to purchase some kind of CE device for the holidays, and that notebooks and laptops made the top five wish list for both adults and teens.
There's another reason to install the lifetime license on a brand-new computer—it's non-transferable. If you replace that computer before seven years, you can't transfer the license to a new computer. The license specifically states that it lasts "for the functional lifetime of your PC computer but no more than 7 years from the installation date."
Finally, in my own testing F-Secure did a good job keeping malware out of a clean system, but wasn't as effective rooting out already-existing infections. That's yet another reason to install it on a brand-new computer.
A Good Deal?
For $59.99, the basic license for F-Secure Internet Security lets you protect three PCs for one year. A lifetime license costs $79.99. Let's see, so the basic license is about $20 per PC per year, while the lifetime license is less than $12 per PC per year as long as you keep it for the entire seven years. On the flip side, if you replace your PC in less than four years, the lifetime license isn't a bargain.
So, which type of computer user are you? The one who just has to have the very newest box? Or the one who carefully tends each PC year after year, keeping it running well into its old age? Your answer will determine whether this offer is a good match or not. You can find the offer here.

Mobile Threat Monday: An Android Banking Trojan Blast From The Past

Image via Flickr user Tiago A. Pereira This year, we've seen the number of malware threats targeting Android surpass one million. But along with the staggering number, is a clearer picture of the industrial nature of Android malware, where winning strategies and code are re-used in totally new ways. This week's Mobile Threat Monday looks at newly detected Trojan which appears to have older roots on a totally different platform.
Trojan: Android/Marchcaban.A
This Trojan appears to be masquerading as an official app for the Banca March, a Spanish bank headquartered in Palma de Mallorca, and was detected by the security company F-Secure. It operates under several aliases, though most are variations of "Bancamarch."
In their analysis, F-Secure found that the Trojan collected information about the infected device, such as: IMEI number, phone model, OS version, and the country where the device is operating. It also called and sent messages to a specific phone number.
The strange thing about this malware? The number it sends your stolen information to is the same used by the Spitmo malware that targeted Symbian phones back in 2010. "We also suspect that it's a component of another malware, possible a banking Trojan that runs on PC," F-Secure told SecurityWatch. However, F-Secure only recently began gathering data on this new Trojan, so it's too soon to say for sure.
Spitmo is the mobile version of SpyEye, the name being an acronym of "SpyEye In the Mobile." It's similar to Zitmo, the mobile version of the Zeus banking Trojan, which is a perennial threat to Android users. According to a 2011 blog post from McAfee, one of the defining differences between Zitmo and Spitmo is that "SpyEye also does not run in the background as a service; it is not active until a predetermined number […] is dialed or an SMS is received."
Interestingly, a reverse number search for the first digits of the recycled number suggest that it's a mobile phone number registered in the UK. Perhaps its reappearance here is because functioning numbers for illegal operations are hard to come by, or that it was sold as part of a larger Spitmo-based exploit kit.
Just the Beginning?
What worries me is that while this Trojan bears some resemblance to Spitmo, it doesn't do the worst of what SpyEye is capable of—suggesting that it was an out-of-the-box solution for the malware creator, or that it could be the beginning of a much worse attack. Given the kind of information it's gathering, targeted malware or spam seem like possible follow ups.
To me, the mysterious phone number shows how Android malware has grown and mutated in such a short time. The strategies and successful malware are quickly taken apart and repackaged by an ever-growing community of attackers, eager to apply them to new regions and new scams. The more things change, the more things stay the same.

Is Streaming Worth the Malware?

Silverlight Exploit
Netflix is arguably one of the best ways to procrastinate. You can spend hours finishing up an entire season of television series; of course, this isn't really recommended but when you only have fifteen seconds to decide to watch the next episode…you just can't say no, right? Thus, you can imagine the dismay when I found out that using this great website could compromise my computer.
In order to use Netflix on your PC, you have to install Microsoft Silverlight 5. However, Malwarebytes Corporation revealed in a recent blog post that a vulnerability in Microsoft Silverlight 5 is being used on malicious websites to infect PCs with malware. Silverlight, similar to Adobe Flash, is an application framework created by Microsoft that is designed for writing and running rich Internet applications.
The exploit, which Microsoft patched earlier this year, lets attackers execute arbitrary codes on affected systems without user interaction. @EKWatcher first spotted the flaw in Angler Exploit kits and Kafeine later summarized how the attack works.
Silverlight Exploit 2
Once the Angler exploit kit is on the exploit page, it determines what version of Silverlight is installed. If it determines that the conditions are right, it crafts a special library to exploit the Silverlight vulnerability. Attackers' true objective is to infect victims' devices with malware. Leveraging vulnerabilities simply helps them achieve this.
Silverlight isn't widely used, but a handful of websites require the Silverlight web plugin to view content, including Netflix. Timo Hirvonen noted that Netflix's 40 million subscribers are all at risk for the Silverlight exploit. While Netflix does flaunt this number of streaming subscribers, with options like game consoles, smart TVs, and Roku, quite a few of these users probably never use their computers to stream from the website.
Silverlight Exploit 3
Users with older versions of Silverlight should update versions of the web plugin to help ensure their PCs are not at risk. Updating Silverlight isn't the only solution to prevent malware problems. Installing antivirus software is a good way to protect your devices from infections. There's plenty of great software out there, including one of our favorites, Norton Antivirus (2014). Always make sure your programs and software are up to date to avoid any chance of getting targeted by cyberattacks.

Derivatives trader admits to “cyber intrusion” which leaked customer information

A major derivatives trader, CME Group, had admitted it fell victim to a security breach in July, which leaked information on some customers.
CME, described by Bloomberg as the world’s largest futures trader, said in a statement that “to date” there was no evidence that the unknown attackers had affected trades on CME Globex, or that trading in its markets was disrupted, according to a report by PC World.
The Chicago based firm runs four exchanges, according to PC World, and said in its statement that it was corresponding “directly” with affected customers.
The company said that the “cyber intrusion” had happened in July, and said in a statement that it was “one of the many organizations subject to this type of crime in recent months.”
Bloomberg described the electronic attack as a reminder of “one of the most constant threats” to financial services firms.
Bloomberg pointed out in its report that firms such as JP Morgan and Citigroup had also fallen victim, and quoted Craig Pirrong, a finance professor at the University of Houston,  “We shouldn’t view this as a futures market story alone, all financial services and markets are a target. Investors do need to be concerned.”
The company said that its security teams took “prompt” and “significant” action, saying, “To protect participants, CME Group forced a change to customer credentials impacted by the incident, and is corresponding directly with the impacted customers.”
The attack is the subject of an “ongoing federal criminal investigation”, the company says. CME says it is cooperating with law enforcement.

More woes for BlackBerry after “serious” security bug alert

Embattled handset maker BlackBerry has faced another blow, after the company warned users of a security bug affecting the software used to link its BB10 handsets to PCs.
Sites such as The Register pointed out that the bug comes at a bad time for a company whose security has been a major selling point, describing the Canadian firm as “on the brink”.
The U.S. Computer Emergency Response Team has advised all users that, “BlackBerry has released a security advisory to address potential vulnerabilities that affect a remote file access feature within BlackBerry Link for Blackberry 10 Operating Systems. These vulnerabilities could allow an attacker to obtain elevation of privilege or execute arbitrary code remotely.”
The flaw was discovered by Google researcher Tavis Omandy, who describes it as “fairly simple,” to execute. It affects the Link software used to share files between handsets and PCs.
The Register says in its report that, the fact that the Link software allows users access to files without authentication, “This clears the way for an attacker, under certain conditions, to elevate their login privileges and run arbitrary commands by tricking another user into clicking on a specially crafted web link or visiting a malicious web page.”
BlackBerry says in its security advisory, “This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction.”
Blackberry has issued a patch that addresses the vulnerability.
Next iPhone News points out that security admins will at least benefit from one fact – the number of BlackBerry users has fallen hugely in recent years, down to 1.7%, according to IDC.

Yahoo to encrypt all network data in PRISM backlash

Yahoo's new logo for 2013
Yahoo will begin encrypting all information that moves between its data centres from the first quarter of 2014, the firm said. This move comes after claims that US spy agencies have been snooping on data carried over the firm’s networks.
Chief executive Marissa Mayer said Yahoo was determined to ensure users’ privacy in the wake of the PRISM revelations and reiterated the firm’s position that it had never knowingly allowed the government to access any data.
“There have been a number of reports over the last six months about the US government secretly accessing user data without the knowledge of tech companies, including Yahoo,” Mayer wrote in a blog post. “I want to reiterate what we have said in the past: Yahoo has never given access to our data centres to the NSA or to any other government agency. Ever.”
The agencies have denied taking part in such activities, saying to do so would be illegal, but regardless of this Mayer said the firm was taking action to vastly improve the encryption on its infrastructure.
“We recently announced that we will make Yahoo Mail even more secure by introducing https Secure Sockets Layer (SSL) encryption with a 2048-bit key across our network by 8 January 2014. We are [now] announcing that we will extend that effort across all Yahoo products,” she said.
Mayer said not only would this cover all data moving between data centers but it would also offer users the ability to encrypt all data sent to and from Yahoo by the end of Q1 2014. It will also work with Yahoo-branded email partners around the world to ensure https security is offered.
The revelations that US spy agencies have been collecting data from Yahoo, as well as Google, were among many claims that have been made since documents from whistleblower Edward Snowden came to light laying bare the extent of US and UK spying practices.

Google pays $17m to settle Apple Safari consumer-tracking probe

Google logo (Robert Scoble Flickr)
Google has agreed to pay a settlement of $17m to 38 US states in order to end a probe into claims that it deliberately bypassed user privacy settings in Apple’s Safari browser.
The issue came to light in February 2012 after it was revealed that Google had altered its DoubleClick advertising platform coding to circumvent settings in Safari that stopped third-party cookies from being installed. The practice had been taking place for nine months.
Installing these cookies allows Google to gather information on users’ browsing habits by tracking their movements across the web, so it can serve them more relevant adverts.
The issue has already proved costly for Google, after an investigation by the Federal Trade Commission (FTC) led to a $22.5m fine for the firm. Now the US states have also secured a settlement, citing laws relating to consumer protection and privacy laws.
New York attorney general Eric Schneiderman said securing the $17m settlement – of which New York will receive $899,580 – showed that public privacy could not be ignored by tech giants.
"Consumers should be able to know whether there are other eyes surfing the web with them. By tracking millions of people without their knowledge, Google violated not only their privacy, but also their trust," he said. "We must give consumers the reassurance that they can browse the internet safely and securely.”
Google has also agreed not to deploy similar code in future unless necessary to “detect, prevent or otherwise address fraud, security or technical issues,” and to improve the information given to users about how it serves adverts to their browsers.
Google said that it was pleased to have reached a conclusion in the case and had already acted to ensure the issue does not happen again. "We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers," it said in a statement.

Active Defense: Good protection doesn’t need to be offensive

Just Google for the search term ‘“active defense” startup’ and it is clear that this is a hot growth area in Internet security. But what is it, exactly? The answer to that question is difficult and controversial, as this is a new name for a wide range of activities that have become increasingly popular as attacks on government and company systems have become both more complicated and more highly targeted.
Active Defense is controversial in part because it has often included the idea that people should “hack back” at intruders. But there are plenty of ways to more proactively defend companies’ resources that do not involve getting into grudge matches with criminals.
Active Defense comprises a range of activities, either within the targeted network or outside of it. These activities can be grouped into three broad areas:
  • Attribution
  • Prevention
  • Retribution

Attribution: Who is attacking, and how?

Attribution pertains to gathering data about specific attack techniques, vectors and origins in order to improve reactive defense technologies. Improving existing defenses is generally done by adding distinctive attack indicators to filtering software, or by black-listing the origination or destination sites of malicious traffic. This information can then be shared with security researchers (such as your security product vendors) and law enforcement officials, to help protect the community at large.
It is important to note that attribution does not mean to positively identify a malicious individual, as attackers commonly use misdirection and proxies to complicate exact identification. Identification is best left to law enforcement, who can collate data from multiple sources and use judicial means to find the culpable parties.

Prevention: What can we do to stop attacks?

Prevention is the area where the broadest range of potential activities resides as it includes both disrupting and preventing the intruder from initiating an effective attack. By thwarting an intruder’s ability to get a complete and accurate picture of your environment, some attacks can be prevented before they have even begun. Active attacks can also be disrupted by directing attackers away from critical resources, or by putting up attack-specific defenses.
Before attackers begin an attack, their first task is to find good targets. Intruders will try to find out what they can about your network and your resources, to determine whether it is worth their effort. Ideally, they would like a target that is relatively unguarded and contains valuable data. Actively preventing attacks at this stage could take the form of denying access or providing misleading data in strategic places.
Be aware that in some cases providing attackers with false data (such as financial information) could get you in legal trouble, and it could inadvertently spill over into the “real world” and affect stock valuation or company reputation. But you can more safely provide fake email addresses that would be gathered by content scrapers or by attackers trying to target key employees.
Disruption tactics require a clear understanding of what is going on within a company’s network, so that normal traffic can be differentiated from anomalous traffic. With a solid “baseline” of what constitutes normal traffic, unknown or suspicious traffic can be sent to a walled garden or it can be used to lock down further access. Some malware authors take similar actions when their code detects it is running on research machines – they may present alternate behavior or cease execution altogether.
Two of the most popular types of tools used for prevention and disruption are Honeypots and Tar Pits. Both tools’ names give a sticky mental image, and indeed both are intended to hold an attack in place for a time, but through different means.
A Honeypot lures in an attacker, appearing to be a poorly defended user’s machine, where an attacker could try to gain access to a network or to install malware that could spread throughout the environment. Not only does this potentially fool some attackers, it also provides data and possible samples to potentially help protect against attacks at other points in the network.
A Tar Pit is intended to slow an attacker by intentionally delaying initial responses to incoming connections. The idea behind this technique is that legitimate traffic will not be troubled by a brief delay – but an attack that is generating large amounts of unwanted traffic will be less effective if it’s spread out over time, and this extra time could be crucial to allow defenders to detect and block an attack before it causes problems.

Retribution: Vengeance is a double-edged sword

Having covered Prevention techniques, we are now left with Active Defense by Retribution. This is legally questionable when the intruder is on your own network, and in almost every jurisdiction around the world it is illegal when the target machine is outside your own domain. Retribution is what is commonly called “Hacking Back”, and is the cyber-equivalent of poking a hornet’s nest.
This is so far outside the realm of a worthwhile use of resources that it is not worth serious consideration. Unless your defenses are already ironclad, this will bring you far more pain than protection. Attackers may have far more inclination and resources to continue escalating the attack if provoked. Add to that the fact that attribution is exceedingly difficult: You may very well end up attacking a third party that is an unwitting victim in the attack.

Effective Use of Active Defense

Now that we have established what Active Defense is, we can discuss how it can effectively be used to help defend your network. If you consider the potential types of Active Defense as a grid, we can narrow actions down to those that have the most potential return on investment – those that might be worth using in your environment.

Internal External
Attribution Yes Maybe
Prevention Yes Maybe
Retribution No No
Along the continuum of possible actions, the more you lean towards staying within your own network – to only collecting data or making modifications in your own environment – the cheaper, and simpler positive outcomes can be. And conversely, any time you enter onto or modify a remote machine, not only does defending your actions in a court of law become significantly trickier, but the return on your own investment of time and effort also quickly plummets.
Even if you could conclusively identify a machine as one belonging to an attacker, two legal wrongs do not make a right. It would also be very difficult to ensure that no other, innocent machines are collaterally damaged by your attack. Beyond that, you cannot truly exclude the possibility that the machine you have identified is one that has been compromised and used as a proxy to attack you. The likelihood is that vengeance would blaze a trail of destruction for everyone but the attacker him or herself.
Gathering data for its own sake, on activities within your network, is generally safe territory. Whether the data is about employees or intruders, law in most countries generally protects monitoring and logging. When it is used for attribution to be shared with law enforcement, it is not only helpful to your company; it can potentially be used to help protect the Internet at large. Gathering data from outside sources can be considered acceptable, if the data is publicly available or if the provider of those resources agrees to cooperate. Compelling those providers to provide data – particularly when the provider is located in another country – can be difficult at best. Hacking your way into remote networks to gather data would obviously be very difficult to defend, legally speaking.
One important component of gathering attribution data is to use it to identify anomalous behavior. This can be tricky for some organizations, as there is little understanding of what legitimate users are doing on the network. In order for this tactic to be useful, you will need to answer a number of questions about what constitutes normal traffic patterns within your network. For example:
  • What times of day are people likely to be using the network?
  • What cities will they be accessing it from?
  • What destinations will (or should) users go to?
  • What behaviors and traffic types are approved?
  • Who should be accessing specific resources?
Once these questions are answered, and legitimate traffic is better codified, you can then use attribution data to better identify abnormal behavior in order to re-route or stop suspicious traffic.
Setting up Honeypots and Tar Pits on your network is a much simpler matter, and there are many freely available resources to help you do this. These tools are not meant to stop an intruder per se, but to lure them into places within your network so that you can study their tactics and better protect your more valuable resources.

Why You Might Use Active Defense

Now that we have defined Active Defense and how it is best employed, you might be wondering how this might be worth the effort for you. Many companies feel besieged by attackers, and they find that traditional defenses alone are not giving them the visibility they need to defend their environment. Employing more proactive strategies can certainly be a way to strengthen your security responsiveness and visibility, if you have the bodies and brains available to act on that data.
These techniques are not “set it and forget it” defenses, but a potentially invaluable source of information that can be used to tailor existing defenses to your own particular threat landscape. If that information is not put to use, all you’ll gain is a bird’s eye view of virtual burglars rifling through your files. It is up to you to determine according to your own particular risk-level and degree of risk-aversion whether this is worth the time and effort.