by: Pierluigi Stella, Chief Technology Officer of Network Box USA
A couple of weeks ago, I was chatting with a journalist who was wondering what I thought of the FBI warning financial institutions of a new attack directed especially at their employees to try and steal customer information directly from the bank’s computers.
This doesn’t really surprise me at all – hackers are trying to steal F.I. information! Really? Wow, would someone kindly explain to me how that’s news, please?
But there IS one thing that _does_ surprise me ~ why would the FBI suddenly warn us about _this_ particular attack and not about others? To comprehend my bewilderment, allow me to explain. Zeus and SpyEye (and many, many others) have been around a while (five years to be exact). They attempt intrusions on users’ computers to steal their bank account information. Once that happens, you literally watch your bank account dollars decrease right before your very eyes. Hackers have for a long time now been sharpening their tools to steal money. After all, that is the ultimate purpose of their hacking anyway.
Hence, the news here would be that hackers are currently shifting their attacks directly towards employees of an organization rather than going after the end user. But that said, this isn’t new news either, because really, something like Zeus is an HTTP sniffer, so if it sneaks its way through onto a bank computer, it’ll be doing just what we’re discussing here ~ stealing information from the employee’s computer.
In other words, I don’t see how this is news. I don’t see why we need a special warning for it. Rather, the warning should be “Attention, there are 500,000 new malware out there today, and no one has signatures for them!”, and this is the scary truth, every day of the year.
The real news is that we’re under a constant barrage of malware, so intense no AV company can truly claim to being able to keep up. THAT is news; yes, in some ways, it ‘s a dooms day news, but that’s the reality of it.
And in my opinion, the news agencies should start doing a better job at educating the public. Rather than search for the sensationalism of “the FBI is warning you …” (I can see the finger pointed in my direction; ominous and scary!), they should undertake the painstaking job of reporting how bad the situation is, and what users could do to defend or protect themselves.
Unfortunately this is tedious, unappealing informational news, not very scandalous at all, and, of course, it’d make for a much catchier headline if I can say “the FBI is warning you”!
But enough bashing, we’re all in this together.
Back to the FBI; three weeks after that warning and I’m still left wondering why they did it. All of you are in the Financial Institution business (a hacker doesn’t care if you’re a members only, not for profit organization – to them, you’re still a F.I. and there’s still money to be stolen!). You all already know this is an issue; and that you must stay alert, 24/7/365; update, patch, evaluate your risk, close any loophole, educate your users, have in place any protection tool the market has to offer, and create processes and procedures that will increase your security.
In all the years I’ve been doing this (I shan’t go into specifics or I’ll start feeling old), I’ve learned that Financial Institutions are, by far, the best protected companies out there.
Credit Unions do an incredible job at protecting themselves; they have security and fraud as a top of mind priority, on a daily basis. They (you) know they are the (constant, never changing) target and not just the flavor (or news) of the day. The only thing that has changed are the tools used, but the crooks are always the same.
So, kudos to the Credit Unions for what they’re already doing, and I urge you to do even more, wherever and whenever possible. The FBI warning is indeed real, but at the end of the day, it’s only one single drop in a sea of attacks you face on a daily basis.