ISSN 1361-3723/13 © 2013 Elsevier Ltd. All rights reservedThis journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:PhotocopyingSingle photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWSCyber-attacks escalate Korean tensions 1

UK shares information to combat cyber-threats 3

FEATURES

Security for SMBs: why it’s not just big businesses that should be concerned 5You shouldn’t think that just because you’re a smaller organisation that the bad guys won’t come after you. Small and Medium-size Businesses (SMBs) are attractive to cyber-criminals for several reasons – they often possess valuable intellectual property, their security is often weaker than that of larger organisations and, as part of a supply chain, they may offer a stepping stone to compromising larger firms. David Emm of Kaspersky Lab details the dangers faced by smaller firms and offers a security strategy for SMBs.

Getting past passwords 8Passwords have been with us for a long time and their faults and weaknesses are well understood. There are signs, however, that viable alternatives are becoming available. Banks, for example, have turned to more complex authentication schemes, and the smartphone and tablet worlds are giving us graphical log-in systems. Steven Furnell of Plymouth University looks at what they have to offer, explores their flaws and examines whether they can reduce our dependency on passwords.

Intelligent fraud detection: a comparison of neural and Bayesian methods 14Fraud is on the rise. And while financial institutions and transaction processors make extensive use of technology to fight it, are they necessarily using the best approach? Neural networks have been implemented extensively, especially by the larger organisations. But, as Mike Alford of Alaric International explains, they don’t offer the flexibility and transparency provided by Bayesian analysis – and this can lead to customers being exposed to greater levels of fraud than is necessary.

Using penetration testing to enhance your company’s security 17Penetration testing is an information assurance activity to determine if information is appropriately secured. These tests use the same tools and techniques as your potential attackers, but in a controlled manner. However, as John Yeo of Trustwave explains, it’s crucial to understand the aims and limitations of a pen-test, and how it differs from simple vulnerability scanning, if the organisation is to benefit fully from the exercise.

REGULARS

Editorial 2

News in brief 4

Calendar 20

Contents

computer FRAUD & SECURITYISSN 1361-3723 April 2013 www.computerfraudandsecurity.com

Featured in this issue:Security for SMBs: why it’s not just big businesses that should be concerned

The development and deployment of new technologies has been

accompanied every step of the way by the release of increasingly complex malicious software.

Small and Medium-size Businesses (SMBs) might think themselves immune

because they assume that attackers won’t be interested in them. David Emm of Kaspersky Lab explains why this is wrong, how SMBs actually represent juicy targets for attackers, and proposes a security strategy for SMBs.

Full story on page 5…

Getting past passwords

In spite of long-standing and well-recognised weaknesses, passwords

continue to represent the most commonly encountered form of user authentication. However, there are now signs of viable alternatives.

New approaches range from the more involved login processes demanded by services such as online banking, and the

more user-friendly graphical approaches offered on mobile devices. Steven Furnell of Plymouth University finds that, while none of them represents a panacea, they do collectively serve to reduce the overall dependency upon passwords and ensure that users are exposed to a wider range of options.

Full story on page 8…

Intelligent fraud detection: a comparison of neural and Bayesian methods

Fraud is burgeoning throughout the world. The evidence seems

to suggest that modern Bayesian methods are superior to their neural network counterparts when detecting fraud patterns.

However, many of the larger and more traditional financial institutions are still clinging to neural network-

based methods, resisting change. In some cases this exposes customers to a greater risk of fraud. Mike Alford of Alaric International, compares the two approaches to see if the Bayesian approach might help to redress the balance in producing effective and intelligent fraud detection systems.

Full story on page 14…

Cyber-attacks escalate Korean tensions

The increasing tensions between North Korea and most of the rest

of the world have been fuelled, in part, by activities in the cyber realm, with the communist country being

suspected of mounting attacks and claiming that it is a victim of them.

Late March saw a massive attack on systems in South Korea, primarily those

Continued on page 3...

NEWS

April 2013 Computer Fraud & Security3

...Continued from front page belonging to TV broadcasters KBS, MBC and YTN and two banks, Shinhan and Nonghyu, which suffered disruption to ATM and online services. The attacks were apparently mounted by the self-styled ‘Whois Team’ which inserted malware into servers used to distribute software patches.

The attacks exploited data-wiping malware that bears some similarities to Shamoon, used in attacks on the Saudi Aramco oil firm in 2012 and resulting in the take-down of 10,000 PCs. The malware attacks a hard disk’s Master Boot Record (MBR) and Volume Boot Record (VBR) as well as deleting its contents. However, the malware used in the recent attacks has been coded specifically to work against South Korean targets – for example, by checking for the presence of Korean anti-malware products.

Suspicion fell immediately on North Korea – although official sources in the south were careful not to actually point fingers. Symantec highlighted similarities between the recent attack and a campaign mounted against South Korea in 2011. Both, for example, exploited the Jokra malware and the same packer to enable the code to avoid anti-malware detection. And both used source code located in the same disk work path: ‘Z:\Work\Make Troy\’.

However, Avast said that its analysis of the malware might indicate a Chinese origin. The code contains Chinese words and a domain located in China was used in the attack. However, the Chinese Government has disputed these findings and disclaimed any responsibility. Meanwhile, Kaspersky Lab said in a SecureList blog post that these attacks could just as easily be the work of hacktivists or ‘script kiddies’ looking for fame.

While not admitting its responsibility for the attacks, North Korea issued a statement saying that a few days previously its Internet services had been shut down for nearly two days as a result, it claimed, of attacks from South Korea and the US. A Thailand-based ISP, Loxley Pacific, confirmed that the sites had, indeed, been offline, but couldn’t say why. North Korea’s

Internet infrastructure is actually very basic, more akin to an intranet with just 1,024 IP addresses. There are no direct connections to the outside world and users have access only to a small number of official websites.

The attacks in South Korea were not isolated incidents. The state-run Korea Internet Security Agency said that attacks from both foreign and domestic sources had risen to 40,000 in 2012, up from 24,000 in 2008.

A US-based human rights group that monitors North Korea was also attacked. The Committee for Human Rights in North Korea (HRNK), based in Washington, DC, had its website defaced, with content being replaced by a poster of ‘Hitman 007-Kingdom of Morocco’. The organisation said it has also been the target of a spear-phishing campaign over recent months.

Activist group Anonymous and its arch-nemesis, self-proclaimed ‘patriot’ hacker ‘The Jester’, have allegedly joined forces to attack North Korea. They succeeded in hijacking official Twitter and Flickr accounts normally used for propaganda and news dissemination. The accounts belong to the Uriminzokkiri website and have been used to post anti-North Korea messages and images, including an image of a ‘wanted’ poster showing Kim Jong-Un as a pig-faced character ‘Nuke Nuke Mickey Lover’. The Flickr account has subsequently been shut down.

Anonymous also claims to have stolen 15,000 hashed passwords from the Uriminzokkiri website, but this is unconfirmed.

UK shares information to combat cyber-threats

The UK is seeing a number of government-led initiatives aimed

at fighting cybercrime, most focusing on information sharing.

The Cabinet Office has launched the Cyber Security Information Sharing Partnership (CISP), which builds on a pilot scheme run in 2011 and the Government’s Cyber Security Strategy. The aim is to promote the sharing of information about threats, risks and

attacks between government departments, industry and security experts.

The pilot scheme involved 80 organisations and this has now been extended to 160, with more expected to join in the future. And while the pilot scheme focused on five industry sectors – finance, defence, energy, telecommunications and pharmaceuticals – the new, permanent scheme is expected to embrace a broader cross-section of the commercial world.

Another feature of CISP is the creation of a so-called ‘fusion cell’. This is an operations room that will constantly monitor threats and attacks. The cell will be run by analysts from the Security Service (MI5) and GCHQ, the UK’s signals intelligence branch, along with experts drawn from industry.

GCHQ has also announced the launch of a Cyber Research Institute intended to act as an incubator for new security technologies. Funded by a £4.5m grant and based at Imperial College, London, the institute will harness expertise from a number of universities and the security industry to develop automated systems that will detect exploitable flaws in software. This is the second institute to be announced as part of the Cyber Security Strategy and the first to take a practical approach. The first, announced in September 2012, was a think tank with a remit of advancing the “science of cyber-security”.

The development of new standards is another aspect of the Government’s strategy, and as part of this the Cyber Security and Resilience Team within the Department for Business, Innovation and Skills (BIS) is canvassing views from industry on an “organisational standard” for cyber-security.

“The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber-risk management,” said BIS in a statement. “There are currently various relevant standards and guidance, which can be confusing for organisations, businesses and companies that want to improve their cyber-security.”

The Government’s document, ‘Cyber Security Organisational Standards: a call for views and evidence’, is available here: http://bit.ly/201304ukgov.