According to the National Cyber Security Alliance, this year and the foreseeable future, one in five small businesses in the U.S. will be hacked. Of those that do get hacked, there’s a better than 60% chance they will go out of business. That’s about the same odds as playing the game of Russian roulette.
No sane person would ever consider playing that game, knowing the possible end result. So why do small to medium size businesses (SMBs), and many big ones too, play this game in the business world? Yet all across the globe SMBs, law firms and medical practices play this game on a daily basis with their business computers, leaving them vulnerable to cyberattacks with their sensitive data exposed. So how do cyber-criminals gain easy access to corporate computers, laptops, and mobile devices? How are they grabbing crucial data that’s causing many of the hacked businesses to close their doors for good?
The answer is keyloggers. It’s an insidious and extremely effective piece of malware that’s capable of evading detection by nearly all anti-virus programs. It can get past sandboxing and white listing attempts by some of the most advanced firewalls and IPS/IDS devices. A keylogger does exactly what the name states. It captures every keystroke typed on a computer keyboard and transmits that stolen information to a remote server controlled by the hackers. This may seem elementary to many people in the cybersecurity industry, but most people from small business owners up to board members of Fortune 500 companies are not aware of this very effective weapon used to compromise thousands of computer systems.
Keyloggers have been credited with many of the world’s most notable breaches: RSA/EMC, Lockheed Martin, Google, Epsilon, Oakridge Nuclear Weapons Lab, Citibank, Sony, World Bank, TJX, Heartland Payment Systems, the New York Times, NBC, Schnucks Supermarkets, as well as tens of millions of medical clinics, small business and consumers around the world. According to the 2012 Verizon Data Breach Investigative Report, malware was found in 69% of the breaches. Of the breaches where malware was used to steal data, 98% of the time they were paired with keylogging functionality.
Let me emphasize that: 98% of malware contain keyloggers.
What makes the keylogger the preferred weapon of choice is that they have been designed to avoid detection from anti-virus and anti-malware tools, and ephishing training, too. Cyber-criminals continuously test their malware against all the available security solutions to ensure they can evade detection to deliver their payload. Keyloggers can be embedded into any type of download (MP3, video, a picture file, a codec to run some videos, a Flash file, an online game) or attached to a phishing email or any type of web link. Speaking of mobile devices, mobile malware has jumped 614% in the last year.
Social Networking websites, like Facebook, LinkedIn, Twitter, Tumblr, and Pintrest, have become one of the favorite places for hackers to propagate spyware. Why? They are porous in terms of defense. Facebook is an extremely popular attack vector because of the popularity of third-party applications and games such as Farmville, Candy Crush Saga, Words With Friends, amongst others. Adding a “dislike” button and apps to see who unfriended you are also very popular and successful tactics. Just last month, a hacker who “debugged” a Facebook code, who wasn’t paid, got the world’s attention by hacking Mark Zuckerberg’s FB page. Should anyone now entrust his or her data on Facebook?
Anti-virus and anti-spyware cannot keep up with this threat; they are still stuck in the 1990s relying on signatures and weak attempts at behavioral analysis. This is why A/V solutions have been found in recent studies and reported in the New York Times to be less than 25% effective against modern malware, and less than 2% effective against a targeted attack. Keyloggers make a mockery of the majority of cyber defenses. It’s the path of least resistance for hackers.
The Internal Threat of Email
So what kind of data are the cyber-criminals after that’s causing so much economical carnage? For starters, it’s banking credentials. Banking websites’ usernames and passwords are highly sought after because hackers can easily create wire transfers of all the money in the bank to foreign bank accounts and or prepaid debit cards. Email user names and passwords are also highly sought after by the cyber-criminals because they are the keys to our online lives. Email addresses can be used to reset passwords for nearly everything we do online, such as credit cards, home utility bills, car payments, health insurance access, and online payroll websites. It’s easy for a cyber-criminal to setup several of their cronies with paychecks at the expense of small businesses.
Cyber-criminals are also after product designs, engineering drawings, sales plans / forecasts, negotiation positions, client / customer lists, contracts, sensitive emails, H.R. records with employee social security numbers, and a whole lot more. For medical practices such as doctor’s offices and clinics the danger lies in the fact many of them have poor and non-existent cybersecurity hygiene skills to begin with. They play online games, download music, and surf the web unrestricted on the same computers that house patient medical information. (I know because I have personally witnessed this behavior numerous times.) Healthcare systems easily become infected with keyloggers due to poor user behavior and protocol, not to mention lack of security tools. Medical office staffs are burdened with finding training solutions and documents to satisfy the HIPAA training compliance and requirements.
In an effort to avoid paying for these solutions, they perform web searches and will download a free document, PowerPoint or PDF file. Not realizing that these files may be booby trapped with malware that was intentionally placed there for free by the hackers in an effort to lure unsuspecting victims to them. This is known as a Watering Hole Attack.
The Prize of Medical Data
Prized medical data includes Medicare and other health insurance identification numbers, access to cloud based EMR/EHR (Electronic Medical Records / Electronic Health Records), access to a doctor’s ability to write e-prescriptions. With access to e-prescriptions, a cyber criminal can impersonate a doctor to access expensive drugs and other controlled substances, then invoice them to an unsuspecting patient’s insurance. A medical-hacker can also impersonate a patient or obtain expensive medical care under the victim’s name.
Medical identity theft is not as easy to repair as financial identity theft. In many cases, these forms of personal attacks take upwards of five years to be corrected, and still might not be done by the credit agencies’ indifference towards people. Medical identity theft can also have dire and sometimes-deadly consequences for an elderly or sick victim, with the advent of incorrect prescriptions or treatments as a result of contaminated and altered medical records due to someone impersonating them to obtain healthcare. Is it any wonder that healthcare is seen to be approximately seven to ten years behind the financial industry when it comes to cybersecurity controls?
To think that all of this is started with keyloggers and could have been prevented is the amazing part. Why make life easy for the army of hackers? Aside from the financial impact of suffering a cyber breach, and/or not reporting it the right way in accordance with data breach notification laws, the damage to reputation can be irreparable. Compound that problem with class action lawsuits, as well as insurance companies denying liability claims to victimized businesses, and state attorney general offices penalizing for suffering a breach. How can these breached companies stay in business?
Over the years many security solutions have sprung up attempting to either stop the keyloggers from getting onto a computer system to using impractical virtual keyboards. Some even give a false and a dangerous sense of security by promising to hold all the secret passwords in an encrypted vault. I say false and dangerous because while the passwords may be encrypted in the database, the master password used to lock and unlock these applications is still susceptible to desktop keylogging.
This is also one of the major flaws of file encryption tools to begin with. What good is encryption if the keys to the kingdom are compromised at the keyboard? That is an impossible task for these solutions to accomplish because they are attempting to protect the data at the application layer all while the keylogger is operating at the kernel layer hooking into the message queues of the Windows and Apple operating systems (You read that correctly, Apple is not immune to keyloggers). To put it in plain English, they’re trying to protect the 7th floor of a building by locking the doors and windows, while completely ignoring the air vents coming up from the basement.
Now this is not an attempt to disparage the password vaults and encryptions tools, because they’re still the good guys and are making an effort to combat cyber-crime, except they’re fighting the battle on the wrong front. Many organizations educate their staff with anti-phishing training hoping they become more secure because their employees now recognize the Nigerian 419 scam and know not to click on an attachment from a foreign person or entity. But how many of those training sessions are effective at helping an employee recognize that their colleague’s or college friend’s email have been hijacked by a cyber-criminal in an attempt to get them to open a trapdoor attachment named “executive pay summary” or “recruitment plan”?
That type of spear phishing campaign is what compromised RSA’s systems with keyloggers and gave the hackers access to the company’s SecureID two-factor authentication product design. A security company being hacked with its flagship product, how ironic is that? Anti-phishing training isn’t effective because all it takes is one clueless or disgruntled employee to click on the link and compromise everything. And with large corporations turning over new workers every week, training alone will not get it done. A company’s cyber defenses should never solely be dependant on training to detect phishing attempts, which is only one line of defense. Employees should instead be trained on what constitutes sensitive and protected information, and how to handle the data to comply with the various regulatory compliance laws. They also need to be trained on the regulatory and privacy laws within the jurisdiction of their businesses, such as HIPAA, PCI, MA201 in the U.S. and the EU Data Protection Act and PCI for businesses that are based or operate within the European Union.
The best approach is a holistic approach. That is what businesses need to survive the relentless assault against all the hard work they’ve spent years building. The best approach should be comprised of a defense in depth, coupled with education. In other words, focus on protecting the data and applications by locking them down with role based access controls, tag the data to detect abnormal behavior and insider abuse, authenticate the human with multi-factor authentication instead of certificates on the machine when a request comes in remotely. And last but not least, cloak the data from the hackers by deploying a “keystroke encryption technology” to render keyloggers useless. Only then will the playing field be leveled and businesses will have a chance of surviving this cyber onslaught.
"The Dangers of Spies on Your Keyboard" was written by Peter Simon. Peter is an Information Security Evangelist and IT security solutions architect. He founded OneForce Technologies in 2007. OneForce Technologies helps companies demystify security by delivering training solutions to address the various regulatory compliance requirements for data security. This article originally appeared in Cyber Defense Magazine.