Hacking, Malware, and Social Engineering—Definitions of and Statistics about Cyber Threats Contributing to Breaches

This article was first published on IRMI.com and is reproduced with permission.
Copyright 2012, International Risk Management Institute, Inc

As breaches continue to occur and affected organizations determine whether and how to disclose these breaches, breaches and disclosure continue to be the subject of reports as well as media, legislative, and regulatory attention. See, for example, Melissa J. Krasnow, Securities and Exchange Commission Issues Guidance on Cybersecurity and Cyber Incident Disclosure (Dec. 2011).

by Melissa J. Krasnow
Partner, Dorsey & Whitney LLP

The 2011 Verizon Data Breach Investigations Report examined breaches that Verizon, the U.S. Secret Service, and the Dutch National High Tech Crime Unit investigated in 2010. This report classified and tallied the types of cyber threats that contributed to breaches. Hacking and malware were utilized in the majority of the breaches, at 50 percent and 49 percent, respectively. Social engineering was involved in 11 percent of the breaches. Many times, these three types of cyber threats from the report and related terms are used but not defined.

This article provides definitions of and statistics from the report about hacking, malware, and social engineering as well as the related terms pretexting, phishing, and spear phishing.

Hacking

Hacking is a broad term that describes all attempts to intentionally access or harm information assets without or in excess of authorization by thwarting logical security mechanisms. The three methods of hacking utilized most commonly in hacking breaches were exploitation of back doors or command/control functionality, exploitation of default or guessable credentials, and brute force and dictionary attacks, at 73 percent, 67 percent, and 52 percent, respectively. With a back door installed, an attacker can bypass security mechanisms and obtain access without using legitimate channels. Regarding the other two methods, an attacker tries a few well-known combinations of default credentials used on various types of systems and, if necessary, then runs a brute force attack to crack the system.

Malware

Malware is short for malicious software and means any software or code developed or used for compromising or harming information assets without the owner’s informed consent. Malware enables or prolongs access, captures data, and/or furthers the attack. The most common means of infection for malware is installation or injection by a remote attacker, constituting 81 percent of malware infections. One example is an attacker breaching a system and then deploying malware or injecting code via SQL injection or other Web application input functionality. Web-based malware, the second most common means of infection, comprises code that is auto-executed (also known as drive-by downloads) and code that requires additional user interaction beyond the page visit (e.g., fake audiovisuals scaring users to “click here to scan and clean your infected system”).

Sending data to an external site/entity, back door, and keylogger/form-grabber/spyware were the three most common functions found in malware breaches, at 79 percent, 78 percent, and 66 percent, respectively. A back door allows an attacker unauthorized access to infected devices, and an attacker can install additional malware, use the device as a launch point for further attacks, or retrieve captured data. A keylogger allows an attacker to build a preconfigured remote installation package that will be deployed on a target system that can capture data from user activity.

When malware captures sensitive information, it must be taken out of the organization’s environment: Either the malware sends it out of the organization (in almost 8 out of 10 incidents involving malware) or the attacker reenters the network to retrieve it. The general rule is that smaller packets are sent out (i.e., credentials captured by keyloggers) while larger amounts of data are retrieved (i.e., the contents of a network file share transmitted through a back door’s file transfer capabilities).

Social Engineering

In a social engineering attack, an attacker uses human interaction (i.e., social skills) to obtain or compromise information about an organization or its computer systems. Social engineering tactics include deception, manipulation, and intimidation to exploit the human element or users of information assets. An attacker may be able to put together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, the attacker may contact a source within the same organization and rely on the information from the first source to add to his or her credibility. Often, these actions are used together with other types of cyber threats and can be conducted through both technical and nontechnical means.

Solicitation and bribery were the most common type of social engineering tactic, used in 74 percent of social engineering breaches. Solicitation and bribery frequently entail collusion between an external agent and an insider. One party uses petitions, promises, and payments to get another to participate in the crime.

Pretexting

Pretexting was used in 44 percent of social engineering breaches. Pretexting is the practice of getting an individual’s personal information under false pretenses using a variety of tactics. The pretexter may be able to obtain personal information including a Social Security number, bank and credit card account numbers, information in a credit report, and the existence and size of savings and investment portfolios. However, some information about an individual may be a matter of public record, including whether they own a house, pay their real estate taxes, or have ever filed for bankruptcy. It is not pretexting for another person to collect this kind of information.

Counterfeiting and forgery were used in 16 percent of social engineering breaches and can involve everything from websites to documents (e.g., the use of fake credentials (driver’s licenses, birth certificates, etc.)).

Phishing

Phishing attacks were used in 11 percent of social engineering breaches. Phishing attacks use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization. For instance, an attacker may send e-mail appearing to be from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, an attacker can use it to gain access to the accounts. Phishing attacks may also appear to come from other types of organizations, like charities. Attackers often take advantage of current events and certain times of the year, including: (1) natural disasters (e.g., Hurricane Katrina), (2) epidemics and health scares (e.g., H1N1), (3) economic concerns (e.g., Internal Revenue Service scams), (4) major political elections, and (5) holidays. Interestingly, phishing attacks are being used more often to gain a toehold in the victim’s environment through attached malware.

Spear Phishing

Spear phishing involves targeted e-mails that typically are used as a catalyst for individuals to click on hyperlinks or open attachments, allowing the downloading of malicious content to the user’s device and the unauthorized entry into an organization’s network. Business activities and products that could be leveraged by an attacker to develop targeted e-mails addressed to individuals within an organization include:

• media releases,
• business mergers and acquisitions,
• business reports/stock reports/financial statements,
• competing for contracts,
• awarded contracts,
• technological breakthroughs,
• international dealings,
• other public information of interest to malicious actors,
• natural disasters,
• referred to by other parties in their public release statements,
• government/industry events,
• government or industry work stoppages,
• and international or political events.

Holding Passwords Hostage – International Extortion Foiled

In a case recently filed by a Swiss company in federal court in Florida, the company alleged in its complaint that Jerome Westrick, its former computer programmer and minority shareholder, stole a company laptop, hacked into the company’s computer system, changed access codes and passwords, and locked out the company and its customers from getting into its enterprise content management software. WIT Walchi Innovation Technologies, GMBH v. Westrick, 2012 WL 33164 (S.D. Fl. Jan. 6, 2012).

Then, Westrick allegedly sought a $300,000 payment to reveal the changed access codes and new passwords.

The Court Said, “No!”

The ploy did not work. The court issued a temporary restraining order requiring the immediate return of the laptop and directing Westrick to maintain its integrity, and directed him not to disclose the passwords and access codes to third parties.

What to Do to if This Happens to You

There are a couple of ways to handle this type of theft. One approach is to go to the Department of Justice or the FBI and file a criminal complaint. No guarantees – there is no way to predict whether the criminal authorities will investigate and prosecute the case because of competing priorities and limited resources. If they do, there is no way to predict when they will do it. In short, you have no control over what, if anything, happens.

Another approach is to do what this company did. It wisely filed its complaint alleging various violations of the Computer Fraud and Abuse Act (“CFAA”). By doing so, it exercised self-help under a law designed to protect against computer crimes, including extortion in relation to computers. Rather than dealing in a protracted court proceeding, it brought a laser directed court action that resulted in the return of its property and the end to the extortion. This of course does not mean that while you are prosecuting your CFAA action, you should not file a complaint with the authorities. Just understand that what you and your attorney do may likely result in quicker and more efficient justice.

Act Fast

Employees have access to the keys to your kingdom. Most, when terminated or leave, do the right thing. When they do not, you need to recognize it and act fast. A court will not grant emergency relief such as a temporary restraining order unless you treat the matter as the emergency it is. You need to be prepared immediately to —

• Investigate and gather admissible evidence to prove the theft of the data and the extortion that can be presented to a court to justify the entry of an immediate injunction.

• Hire expert counsel who is familiar with the CFAA who can coordinate the investigation with an eye to filing the appropriate court papers.

In many instances, as demonstrated by the Westrick case, taking the civil route as opposed to the criminal route is the best course of action.

Think You Own Your LinkedIn, Twitter and Facebook Account? Think Again.

You may not, as reflected in the recently reported decision of Eagle v. Morgan, 2011 WL 6739448 (E.D. Pa. December 22, 2011) where both the employee and her former employer claim ownership in the employee’s LinkedIn account, the popular social networking site for business professionals. The dispute is starkly drawn in the litigation’s opposing pleadings and provides a strong warning to the hundred million plus LinkedIn users and other users of social media who operate under the assumption that their social media accounts belong solely to them to transfer as they please when they change jobs.

The facts in the Eagle case will sound familiar to all social media mavens who use sites like LinkedIn to promote their businesses and professional careers. The plaintiff Linda Eagle, a Ph.D. in communications and psychology, established her LinkedIn account in 2008 after she and others founded Edcomm, Inc., (“Edcomm”) to train individuals to work in the financial services industry. Like others who sign up for a free account with LinkedIn, Dr. Eagle’s complaint alleges she had to assent to a user agreement “which constitutes “a legally binding agreement with LinkedIn Corporation” and, as such, “information provided to LinkedIn is owned by the LinkedIn user, subject to the other terms of the User Agreement.” Id. at *1.

According to LinkedIn’s terms of use, “[u]sers can maintain only one LinkedIn account at a time” and “Dr. Eagle [as alleged in her complaint] used her account to promote Edcomm’s banking education services; foster her reputation as a businesswoman; reconnect with family, friends, and colleagues; and build social and professional relationships.” Id.

In October 2010 Sawabeh Information Services Company (“SISCOM”) purchased Edcomm. Dr. Eagle initially remained employed by SISCOM as its CEO, but approximately 6 months later Edcomm involuntarily terminated her employment. According to Dr. Eagle’s complaint, Edcomm then hijacked her LinkedIn account using her LinkedIn password. Her complaint alleges that Edcomm used her password “to gain unauthorized access” to her account, “changed the password,” and “then changed Dr. Eagle’s account profile to display” Edcomm’s new CEO’s “name and photograph” “but Dr. Eagle’s honors and awards, recommendations and connections.” Id. at *2. The complaint alleges that Edcomm “used Dr. Eagle’s account both to prevent her connections from reaching her, and to acquire business connections for the benefit of . . . [the new CEO] and Edcomm. Id.

In response Edcomm filed a counterclaim alleging facts that Dr. Eagle’s LinkedIn account had been established and used for the benefit of Edcomm at Edcomm’s expense. Thus, the counterclaim alleges “that Edcomm, while under Dr. Eagle’s management, implemented a policy requiring Edcomm’s employees to create and maintain LinkedIn accounts.” Id at 3. All Edomm executive employees, as a matter of company policy, were required “to: (a) utilize their Edcomm email address for LinkedIn accounts; (b) utilize a specific form template, created and approved by Edcomm, for their description of Edcomm, work history, and professional activities, as well as photographs taken by a professional photographer hired by Edcomm; (c) contain links to Edcomm’s website on LinkedIn accounts and the Banker’s Academy webpage, as well as Edcomm’s telephone number; and (d) utilize Edcomm’s template for replying to individuals through LinkedIn.” Id. The counterclaim further alleges that “[c]ertain Edcomm employees monitored these LinkedIn accounts, corrected any violations of Edcomm policy, and maintained accounts for several employees for the benefit of Edcomm” and that “all discussions, connections, and content were added by” Edcomm employees.” Id

In short, Edcomm alleges that “Dr. Eagle’s LinkedIn account was used for Edcomm business and Edcomm personnel developed and maintained all connections and much of the content on her account” and that Dr. Eagle, who regained control of her LinkedIn account after initiating her lawsuit, had “wrongfully misappropriated both Edcomm’s connections on the LinkedIn account and Edcomm’s telephone number constituting Edcomm’s proprietary information on the account.” Id.

Based on these dueling allegations both sides filed numerous claims against each other. Dr. Eagle alleges violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C. §1030, violation of Section 43(a) of the Lanham Act, 15 U.S.C. § 1125(a)(1)(A), unauthorized use of name in violation of 42 Pa.C.S. § 8316, invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft under 42 Pa.S.C. § 8315, conversion, tortious interference with contract, civil conspiracy and civil aiding and abetting. Id. at. *2. Edcomm also alleges violations of the CFAA, misappropriation, conversion, tortious interference with contract but added claims for unfair competition and a violation of the Pennsylvania trade secret law.

Dr. Eagle moved to dismiss all of Edcomm’s claims on the ground that they do not, as a matter of law, allege facts constituting proper claims for relief. The court granted Dr. Eagle’s motion to dismiss all of Edcomm’s claims except for two Pennsylvania law causes of action, 1) misappropriation of an idea and 2) unfair competition that is essentially based on the same elements of the misappropriation claim. Under Pennsylvania law misappropriation of an idea requires the plaintiff to prove that 1) the plaintiff had an idea that was novel and concrete and 2) the idea was misappropriated by the defendant. Id. at *13. As the court explained,

[t]o determine whether an idea has been misappropriated, Pennsylvania courts look to the three elements of common law misappropriation:
(1) the plaintiff “has made substantial investment of time, effort, and money into creating the thing misappropriated such that the court can characterize the ‘thing’ as a kind of property right,” (2) the defendant “has appropriated the ‘thing’ at little or no cost such that the court can characterize the defendant’s actions as ‘reaping where it has not sown,’ “ and (3) the defendant “has injured the plaintiff by the misappropriation.”

Id.

In refusing to dismiss the misappropriation and unfair competition counts the court relied on the allegations in Edcomm’s counterclaim that “Edcomm personnel, not Dr. Eagle, developed and maintained all connections and much of the content on the LinkedIn Account, actions that were taken solely at Edcomm’s expense and exclusively for its own benefit.” Id. The court stated, ‘[w]hile Plaintiff argues that Edcomm fails to allege facts that would show that it made a substantial investment of time, effort, and money into creating the cell phone number or LinkedIn account, Edcomm counters that its employees developed the accounts and maintained the connections, which are the route through which Edcomm contacts instructors and specific personnel within its clients.” Thus, the court held that “these conflicting allegations create an issue of fact requiring further discovery.” Id.

With businesses like Edcomm actively encouraging their employees to use social media as a marketing tool, there can be little doubt that litigation over the ownership of social media accounts is likely to increase. Just last July PhoneDog.com, a popular mobile phone site, sued in federal district court in California a former employee who had amassed approximately 17,000 followers on Twitter claiming that the followers constituted a company-owned customer list entitling it to $2.50 per month per follower or $350,000 in total damages. The only way to avoid the inevitable lawsuits over the ownership of these accounts is for both employers and employees to be proactive in establishing ownership rights prior to using individual social media accounts as a marketing tool.

From the employer’s standpoint this ownership issue is a prime reason why employers should adopt social media policies clarifying who owns the social media accounts and ownership rights when the employment relationship is terminated. For example, it may make sense to allow employees using LinkedIn to keep their accounts but cleanse them of information that belongs to the employer because of the employer’s financial investment in the site and to ensure the employee is no longer associated as a spokesperson for his former employer. As a strategy to minimize, and perhaps avoid litigation altogether, an agreement between the employer and employee delineating the post employment rights of both the employee and employer to the account would seem the most efficient way to deal with this issue.