Listen to this programme if you can

[Noreen]

http://www.bbc.co.uk/iplayer/episode/b00jyyl0/Hacked_to_Pieces/ 
It's frightening!

[Rik]

Listening...

[Noreen]

I've just finished listening to the repeat on the radio. It does tend to make me think that we're all going to fall victim some time or other.

[Rik]

I agree, Noreen, it's getting more and more 'dangerous' to use a computer, whether we patch, use anti-virus etc or not.

[Noreen]

This is what the programme is about.

Jolyon Jenkins investigates whether we have lost the war on cybercrime and looks at a new criminal economy which has grown to feed the demand for our most private details.

Jolyon finds that the security details of ordinary members of the public - their bank details, passwords, and secret security questions are being openly traded in cybercrime forums. He hands over his own laptop computer to an 'ethical hacker' and finds that it takes two minutes for its password to be cracked. Within a few more minutes, the hacker has installed a key-logging Trojan that secretly passes all his computer activity - passwords, emails and all - back to the hacker's own computer.

He finds that we are all vulnerable to criminals who trade on our human weaknesses: our magpie-like obsession with gaudiness and trivia, and our willingness to click the OK button without thinking through the consequences.

Ever since the internet became mainstream, we have been hearing warnings about hackers, spammers and other renegades of the online world. The internet security business now threatens to overtake the Chinese army as the largest employer on earth. But what has this army of consultants achieved, apart from spending billions of dollars? Every year the situation gets steadily worse.

The threat comes not from lone hackers, but from networks of criminals who have developed an astonishingly complex and mature organisational infrastructure that the authorities seem virtually powerless to deal with.

Entire internet relay chat rooms are controlled by the criminal underground economy and the turnover of cybercrime is possibly as big as that of the global illegal drugs trade. And as many as one billion computers - 12 per cent of the world's total internet-connected machines - could be hiding malware of one type or another. Some experts think it's only a matter of time before every PC in the world is infected.

The anti-hacking world is almost entirely privatised - its growth mirroring the rise of the opposition. Frequently, criminal networks have been closed down not by law enforcement authorities but thanks to investigations carried out by dedicated volunteers.

[Simon]

I've had my card defrauded four times now, and I guess, the more you use the internet for shopping, the more risk there is of eventually being 'done'.  I haven't logt any money over it, as on two occasions, the card company spotted the suspicious activity before anything was charged, and on the other two incidents, they refunded me within a couple of days.

I have come across one of those types of forum, and reported them to the police, and to my card companies.

[Rik]

The programme does accord with my experience, ie that the police show little interest in, or competence with, fraud/internet issues.

[Gary]

The programme does accord with my experience, ie that the police show little interest in, or competence with, fraud/internet issues.

I doubt the ever will sadly Rik, and the banks like NatWest offer software that appears to be the ideal solution but you find out there is a caveat, its been hacked already, the problem is so many stores have folded because they can't compete with online sellers like Amazon, that we have less and less choice offline, and even then the risks are almost as great, but in a recession I wonder how banks and credit card companies will react to continued fraud, even if it it is not our fault? Will they say "you are not using our super software so no we wont help you" each bank though offers a different idea, Barclays gave away Kaspersky internet security to customers, that's what I use and would argue that if its good enough for Barclay's customers security, its good enough for mine, but I can see a time when they will turn round and try to point the blame at us, and how do we prove we are up to date and fully patched?

[Sebby]

The programme does accord with my experience, ie that the police show little interest in, or competence with, fraud/internet issues.

I wonder why that is. I suppose it's just too difficult to catch the culprits, although perhaps if they did try harder, they'd find it's actually only a few that are involved.

[Gary]

I wonder why that is. I suppose it's just too difficult to catch the culprits, although perhaps if they did try harder, they'd find it's actually only a few that are involved.

You are probably right Sebby, but also big organised crime mobs like some of those from Russia are behind this now as well, and its almost impossible to trace them, I always wonder why if your card was used, I have had a couple but they were from shops I felt, that when they sort it all out the card companies never tell you wear and when it happened, that would at least keep us in the loop and help us understand what's going wrong and where to take care, Its odd 

[drummer]

I wonder why that is. I suppose it's just too difficult to catch the culprits, although perhaps if they did try harder, they'd find it's actually only a few that are involved.

I think the small print of the Fraud Act 2006 is the real culprit here.

The police were unable and reluctant to deal with online fraud because they had neither the expertise nor the resources to do anything other than pay lip-service to tackling it.

The banks were seriously embarrassed by the flaws in their security and hastily volunteered to take on the role previously enjoyed by the police.

And so it came to pass...

Hence the knee-jerk cancellations of credit/debit cards by the banks and the total indifference of the police to investigate serious cases of fraud/identity theft, because it's no longer their job.

Online fraud and identity theft have been privatised to very the institutions who wish to underplay its prevalence because of their own lax security.

We're being played for suckers while the fraudsters just move on to the next target, unencumbered by trivial issues such as prosecution.

Hey ho...

[somanyholes]

thanks for posting this.

a bit of musing.

PCI doesn't work. It just means they have paid a load of money to someone that thinks and agrees with the fact that process will provide security.

ram scaper (the banks themselves are being compromised. Payment systems in the banks are being compromised by having ram scrapers installed. What these do in essence is pull the card info out of the ram on the banking system, this happens at the millisecond that the info is decrypted before it's encrypted again. Remembering that these systems are not meant to be attached to the wan....

technology isn't going to solve the issue, firefighting will not work, a redesign is required....

white hat hacker = penetration tester (something i'm involved with)

antivirus- whilst not dead will only stand up to known attacks. as has been stated with the large amount of code being generated online is to much for av makers to keep up with.

mr baddog was charging a lot of money for those details..... aside from him  buggering off...

They are getting more and more advanced. A prime example of this is the way in which botnets communicate. These primarily use irc to provide and command and control infrastructure. A master server sends a command out via irc and the compromised hosts receive the command and  do the required.... Now botnets such as ghostnet use http to send and receive commands. This means the access is unlikely to get blocked going out, as http is generally allowed out, proxy's will also allow the traffic out. The commands are now being embedded inside images. So the compromised host is set to vist a certain website at a certain frequency. It downloads the page and the image/images on the website advise the pc what to do next. even if you are sniffing the connection you are just going to see image go by and have no idea the image is issuing commands. Things really are well and truly screwed, and all the security vendors do is issue more technology that provides little resistance, which is generally quickly overcome.

my thoughts anyway.

[Rik]

So we're in deep trouble?

[Noreen]

Researchers from the University of California Santa Barbara (UCSB) have been able to infiltrate and hijack the Torpig botnet for ten days before they were locked out - and just published a paper on their findings. During their time in control the infamous botnet (also known as Sinowal) managed to steal 70 gigabytes of data from unknowing users and, in one hour, 56,000 passwords.

The Torpig malware's been around since at least 2006. It infiltrates PCs through "drive-by-download attacks," exploiting coding vulnerabilities in legitimate websites and forcing machines accessing them to download a rootkit. The rookit then weasels its way into a system so that it Torpig launches during system boot time, evading security programs by starting up before anti-virus software can become active..................

http://www.samknows.com/broadband/news/university-hijacks-torpig-botnet-586.html

How on earth do we protect our computers against these things?

[Rik]

To some extent, we can't Noreen. All we can do is make sure our defences are up to date, ie AV, firewall, malware and Windows patches. The problem is that there is always a gap between an exploit appearing and the defences being upgraded.

[somanyholes]

we just need to take a look a spam levels to see how badly we have failed to approach and apply security to our networks. Something like 97% of all email is spam. It's not that email is a rapidly changing technology because it's fairly static and has been around for years. So how on earth are we supposed to secure technology that changes rapidly if we can't even sort email out.

[Rik]

Frightening thought, isn't it, So.