$100m for a few weeks worth of work? No wonder they are switching to the dark side!

http://www.eweek.com/c/a/Security/FBI-Online-Banking-Attacks-Reach-100-Million-Mark-785125/

I was just catching up on my weekly fix of cyber crime bedtime reading and i came across the above article which states that the FBI is warning mid-sized businesses, government departments and academic institutions against emerging cyber theft attacks. The article also states that in the past few weeks a total of $100m was stolen in the US alone, making one wonder what the real cost of cybercrime was on a global scale. I’d hate to think what the annual figure would amount to when one included Europe, Asia, Oceania and the rest of the Americas.

However, the thing that i found most interesting was the fact that the victims of these latest attacks were all businesses or institutions that one would imagine had solid security systems, tools and policies in place. The latest victims included mid-sized businesses, schools and even municipal government departments! That's right, the cyber crims were now targeting those with some serious savings in the bank (one would assume) and were no longer just focusing on easy-to-exploit home internet users who weren’t technically savvy or who had limited security systems in place!

Organisations of such size usually employ multiple layers of traditional security, including gateway devices (firewalls, UTMs, IDS/IPS, anti-spam devices etc), endpoint anti-virus software and even in-the-cloud filtering services (web and email malware, content etc). In addition, these security services are usually deployed and managed by technically-competent professionals or outsource partners.

So where’s the hole in these security systems?

Quite simply, they don’t secure internet-based transactions, but rather scan or filter for known threats in web-based traffic or on computer hard-drives! Yes, they are good at protecting organisations from KNOWN malware, but they fail in protecting organisations from self-induced threats, such as end users actioning phishing emails or executing sophisticated malware attached/embedded in an email/webpage (rootkits, Trojans etc). Once the user self-induces infection, then the malware will happily reside on their machine and do its nasty work undetected.

So what’s the solution?

Organisations (and anyone else using the internet for online transactions such as online trading, online shopping and online banking) should deploy transactional security services that not only scan computers for known and unknown malware, but also secure online transactions via sophisticated isolation and lockdown mechanisms. In doing so, any malware which has been self-induced by the user or which has slipped through the existing security systems will remain isolated from online transactions. Thus, even if your computer is infected, the malware will be unable to penetrate the online session or intercept information being exchanged, rendering it useless. In addition, the security solution would alert you to the fact that known malware or suspicious applications were running on your machine.

I sleep much better knowing that my family’s computers are protected with a security solution that secures internet-based transactions from attacks such as phishing, pharming, man-in-the-middle, man-in-the-browser, DNS poisoning, Trojans, spyware, adware, keyloggers and rootkits. Even better, this security service operates with all internet browsers and costs me less than a dinner-for-two at a fast food restaurant.

I call it online peace of mind.

Ouch! That’s just adding insult to injury!

http://voices.washingtonpost.com/securityfix/2009/10/zeus_trojan_turns_smash_grab_i.html

I just read the above article about a nasty variant of the Zeus Trojan that not only steals your hard-earned (or raised) cash, but then also goes on to kill your computer. In layman’s terms, this is a nasty “double-whammy” Trojan and not only is the victim left without an operational computer, they probably also no longer have any savings left in their bank account to be able to repair the computer or buy a replacement. Ouch!

Although we have seen the nasty Zeus Trojan on the internet crime scene for some time and although we have read about other cases where victims have been robbed of hundreds of thousands of dollars (our above example lost US$87,000!), this is the first time we have seen Zeus coupled with a “KOS”(kill operating system) command that basically does as its name implies; kills your operating system!

I have seen only three “transactional security” technologies available globally that have the smarts to “lock-down” your online transaction session and stop any malware on your computer from stealing your confidential information (such as password, online ID etc) and passing it on to the cyber criminals.

1) The first such technology is a simple browser plug-in (add-on?) out of Israel which only works with internet explorer and firefox (that there is a problem in itself since i prefer to use two other browsers, and as such, I will not be protected from the onset if I continue to use my browsers of choice). The other fundamental issue with this technology is that although it protects your online session, it doesn’t care for the state of the forensics running deep within your computer hardware and operating system. Hence, it wouldn’t have ever alerted you to the fact Zeus was on your computer, and although it might have saved you from the online theft, you probably wouldn’t be reading this blog since your computer is RIP in computer cemetery as a result of the KOS attack.

2) The second technology is a sand-box browser offering out of the USA which protects you during online transactions, so long as you use the safe browser they provide you with (once again this is an issue for me since I prefer using only two browsers and I really cant be bothered changing browsers while I’m online just to check my bank balance or pay a bill). Oh, in addition this offering will also fail to alert you of the Zeus infection since it simply assumes your computer is always infected. Yes, it would’ve saved you from the online theft if you were infected with Zeus, but your computer would also be RIP in computer heaven as we speak.

3) The third technology not only offers secure “lock down” transactions, it does so regardless of which browser you use. Yes, you are free to use them all - internet explorer, firefox, chrome, opera, safari, avant etc. Oh, and this clever technology also contains a kernel forensics engine which in a matter of seconds interrogates everything running on your computer (yes, i said SECONDS, not HOURS) and kills anything unauthorized or malicious while alerting you to the threat and providing you with relevant info on how to remove the threat from your computer. So in the above case, this technology would have alerted you to the fact that Zeus was running, informed you of the removal process, killed the process in real-time and protected you during your online transaction. In layman’s terms, you’d still have your savings in your bank account as well as your beloved computer..

Now that’s what we call online peace of mind.

We want REALISTIC options!

http://www.crn.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx#comments

Just read the above article and though to myself "geez, how bloody annoying would it be to have to load up another OS just for online transactions!".

Recommendations such as using a more secure OS or using a sandbox web browser are great in theory, but there's always a big disconnect between theoretical greatness and practical implementation.

Yes, theoretically speaking its safer to not talk on my mobile phone, but let's face it, it's more practical than pulling over to slot a 50c coin into a public telephone that probably doesnt even work! Yes conventional ovens are safer than microwave ovens, but sometimes even 2 minutes is too long to wait for my dinner!

Similarly, at the end of the day we all want to continue to exercise our full right to browse the web in what ever fashion we are used to.. I want to use my new windows 7 OS (why else would i pay for an upgrade?)! I want to use any damn browser I feel like using (i change browsers based on my moods)! I dont want to boot up a new OS or open a new browser just to check my online bank balance or pay a bill!

All i want is something that protects me while I am online. Something that will ensure my money stays where i put it - in MY bank account. I don't want to change the WAY i transact online. I only want online peace of mind.

coming soon, stay tuned...

coming soon, stay tuned...

info@onlinepeaceofmind.com