Category Archives: Advice and Solutions

White papers, solutions, advice, …

“Crimeware” – How Organised Crime Uses Technology and Social Engineering

“Crimeware” is the latest label given to the technology toolkit criminals (and wanna-be kiddies) use to get information on Internet users’ identities for fraudulent purposes — or just for fun and the 15 minutes of fame in the case of kiddies.

A report by the Anti Phishing Working Group (download link) lists common penetrating mechanisms:

  • Attachments sent via email or instant message – or in an apparently
    discarded hardware devices such as USB keys;
  • Piggybacking schemes in which crimeware is embedded into another piece
    of software such as an apparent shareware application;
  • Internet Worms that exploit vulnerabilities within networks and PCs to
    propagate themselves and install back doors and other crimeware
    applications;
  • Web Browser Exploits in which browser vulnerabilities are leveraged to
    directly infect PCs from the compromised server by the pages being
    viewed or by injecting crimeware code remotely via scripting exploits
    into the PC;
  • Distribution via Hacking in which crimeware is installed manually by
    hackers who have discovered or exploited vulnerabilities that give them
    access and control of a PC;
  • Distribution via Affiliate Marketing in which marketing programs
    provide incentives to 1) install malware on visitors PCs, some of which
    can be later exploited to plant crimeware or 2) to directly install
    crimeware on visitors’ PCs.

While this does not sound new, really, it report is a truly nice textbook approach explaining how these attacks work, backed up with some nice statistics, too. It makes a good read for people with an intermediate knowledge of Internet technology; and it provides ideas for countermeasures against the featured modes of attack.

Download, read, enaction, … and distribute.

How malicious hackers attack (InfoWorld, by Roger A. Grimes)

How malicious hackers attack — an overview by Roger A. Grimes, for InfoWorld

‘When it comes to network defense, the adage “know thy enemy” is never more appropriate.’ — But this is probably the best technique:
‘Every professional penetration tester can easily, and laughingly, recount numerous stories about how easy it is to get unauthorized access from a normal corporate employee. I often walk up to the CEO’s executive secretary and say something like, “Hello, my name is Roger Grimes. I’ve been hired by IT to do password penetration test auditing. I need the CEO’s password.”

How often does this work? So far, 100 percent of the time.’