Sign In
  • Inside Track
    June 18, 2012

    Are You at Risk for Cyber Attacks? Or Can You Snag the Phish Before the Phish Snags You?

    Cybercrimes, such as identity theft and stealing of account information, cost the country billions of dollars annually. No computer is beyond reach; we therefore must be vigilant.

    Angelina Gabriele“The judge made me so angry today…”

    “Lawyer X is a liar and cannot be trusted…”

    “My boss is so annoying…”

    “Guess what my co-worker did today…”

    In today’s age of instant electronic communication, much of what before would have been confidential conversation is now preserved in writing and potentially accessible to those malcontents who wish to harm the author’s career or personal life (or that of the employer). It is naive for anyone to believe that their electronic correspondence will never be seen by anyone other than the intended recipient.

    According to Janet Napolitano, Director of the Department of Homeland Security, a speaker at the April 20, 2012, American Bar Association Spring conference, hosted by the ABA Section of Administrative Law and Regulatory Practice, cybercrimes such as identity theft and stealing of account information are minimally costing the country an estimated $388 billion each year. “We also think that, that’s just the tip of the iceberg,” she continued. “Securing cyberspace has become increasingly important to us and to our way of life, and there is a lot to be done.”

    On average, these attacks can go undetected for up to six months, and once discovered it can take another six to nine weeks (or longer) to determine what information has been exfiltrated and/or infiltrated. Many times, these cyber attackers leave back door mechanisms to re-enter the system even after the attack has been discovered. The preferred and most effective method thus far has been spear phishing wherein an e-mail containing a link is sent, the unsuspecting recipient clicks on the link, which then gives the attacker access to the machine, and ultimately the server itself. For example, visiting West Point teacher and National Security Agency expert Aaron Ferguson sent a message to 500 cadets asking them to click a link to verify grades. Ferguson’s message appeared to come from a Col. Robert Melville of West Point. More than 80 percent of the recipients clicked the link in the message. In response, they received a notification that they’d been duped and a warning that their behavior could have resulted in downloads of spyware, Trojan horses, and/or other malware.

    Are You at Risk for Cyber Attacks? Or Can You   Snag the Phish Before the Phish Snags You

    Who Is at Risk?

    No one is beyond the reach of these attacks; we therefore must be vigilant. Recently, “hactivists” have engaged in cyber attacks for a political activist purpose. Thus far, these hactivists have gone after personal information of high government officials in an effort to use that information not for financial gain but instead to intimidate or embarrass. Much of this personal information can be obtained from social networking sites. Potentially useful information to a hactivist can include address, phone number, family photos, and personal messages: “friend to friend.”  

    Take the example of Time Warner executive Jeffrey Bewkes. A recent hactivist attack posted his home addresses, a home telephone number, his wife’s name, and contact information for Time Warner as a part of “Operation Hiroshima,” an anonymous campaign to pressure public figures and law-enforcement officials seen as supporting various repressive policies. Following a list of Bewkes’ and Time Warner’s contact information, the posting concluded, “Utilize the phone numbers, faxes, email addresses, and social networking sites, and make sure Time Warner knows that not they, nor anyone else, has the right or authority to control the Internet.”

    Emails sent to family members or friends discussing personal family or medical issues as well as interoffice email banter or complaints among co-workers and colleagues, may all serve to humiliate and compromise the reputation of employees if publicized after a cyber attack. It should not be difficult to imagine. Recall the 2012 attack on Straftor in which five million internal emails were published. You and your elected employer do not want to be placed in the defensive posture of having to explain the “banter,” and suffer the humiliation of exposure of personal correspondence.

    Likewise, when you engage in online shopping or banking, check personal email, Facebook, MySpace, or credit card activity from a work computer (even if during off-hours), you put all that information at risk of being discovered and distributed by cyber attackers. Similarly, checking work email from home computers, which may lack many of the protections of a work computer can be risky.

    Snagging the Phish

    It is, therefore, increasingly important for all of us to be on alert both at home and at work. We cannot always rely on the IT deparment’s virus protection to keep us safe.

    Unfortunately, the three things that make spear phishing successful are hard to identify and therefore make us easy targets:

    • The apparent source (of the email) appears to be a known and trusted individual,
    • there is information within the message that supports its validity, and
    • the request the individual makes seems to have a logical basis.

    For example, the perpetrator finds a web page for the target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an email to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee’s user name and password or click on a link that will download spyware or other malicious programming. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.

    The technique can also install pervasive and pernicious programs that convert an employee’s computer into a botnet: essentially transferring control of the computer and its contents unbeknownst to the employee. Botnets can then send information to its creators about a user’s activities, by logging keystrokes – typically passwords, credit card numbers and other information that can be sold on the black market.

    Therefore, if your computer suddenly starts operating slowly or erratically; you receive emails accusing you of sending spam; or you have email messages in your outbox that you didn’t send, there’s a good chance your computer has been compromised.

    To avoid becoming such a victim, the following precautions are recommended:

    • Be cautious about opening any attachments or downloading any files from emails you receive. Even if the email is from a friend or co-worker, be careful about what you choose to open since their computer could be compromised. If you send an email attachment, explain in the email what the attachment is.
    • Be careful what you download from the Web. Only visit sites you trust. It is recommended that you use a web browser that has security features or use a program that checks the status of websites to insure that they are safe to visit and use.
    • Turn off your computer when you are not using it.
    • Install antivirus and antispyware programs from a trusted source. Anti-malware programs scan and monitor your computer for known viruses and spyware. When they find something, they warn you and help you take action.
    • Keep all software up-to-date. Regularly install updates for all your software and subscribe to automatic updates wherever possible.
    • Use strong passwords and keep them secret. Use a reputable password checker to determine the strength of your password.
    • Never turn off your firewall. A firewall puts a protective barrier between your computer and the Internet. Turning it off for even a minute increases the risk that your computer will be infected with malware.
    • Use flash drives cautiously. Connecting your flash drive (sometimes called a thumb drive) to a computer that is infected could corrupt the drive and your computer.

    Ultimately, we must be vigilant in protecting ousrselves and our employers from such insidious and potentially humiliating attacks.

    About the Author

    Angelina Gabriele, Wisconsin 1995, is an assistant district attorney for the Kenosha County District Attorney’s Office. She prosecutes misdemeanor and felony cases, as well as providing training to law enforcement on legal issues relevant to criminal law both locally and statewide.

    This article is adapted from the June 2012 State Bar Government Lawyers News, published by the Government Lawyers Division. The State Bar offers its members the opportunity to network with other lawyers who share a common interest through its four divisions and 26 sections. Membership includes access to newsletters, email lists to facilitate information sharing, and other resources.



Join the conversation! Log in to leave a comment.

News & Pubs Search

-
Format: MM/DD/YYYY