Ten Tips to Combat Cybercrime

By James F. Leon

E-mail Story
Print Story
MAY 2008 - Despite the increased efforts to strengthen Internet security in recent years, cybercrime has jumped enormously, as shown in the annual 2007 cybercrime survey conducted by the Computer Security Institute (www.gocsi.com/press/20070913.jhtml). According to the survey, the average loss per cybercrime in 2007 for U.S. companies escalated to $350,000 from $168,000 the previous year.

Data breaches, credit card fraud, fraudulent websites, eavesdropping, and identity theft all fall under the umbrella term cybercrime. To execute these crimes, hackers and con artists use tools such as fraudulent e-mails, network sniffers, Internet cookies, scripting languages, software vulnerabilities, and wireless networks. Below are 10 practical tips that accountants can implement to minimize security threats, plus detailed explanations of several tools that computer criminals commonly use.

1. Identify Suspicious E-mails

E-mails often come from a different source than the company or entity they appear to be sent from. Although the sender of an e-mail may appear trustworthy, recipients should be aware that the sender’s name in the header can be construed (spoofed) by a con artist. Individuals should also note to whom the e-mail is addressed in the first line of text. Con artists often send fraudulent e-mails stating, “Dear Customer,” “Dear Patron,” or “Dear Member,” because they do not know the recipient’s name. An e-mail with an individual’s correct name in the first line of text can still be a hoax. Names can easily be acquired through many sources, including compromised company databases that contain personal information.

Fraudulent e-mails tend to have catchy openings intended to play on the recipient’s propensity for fear or greed. An e-mail eliciting fear may claim that an individual’s personal information has already been compromised, such as an account number, credit rating, or stolen password. An e-mail enticing greed may claim, “You have won the contest” or “You are entitled to a large tax refund.” In all cases, fraudulent e-mails will require the recipient to click on a link.

Exhibit 1 shows an example of a fraudulent e-mail allegedly from the IRS. The hacker wants the individual to follow the “click here” link, but hovering the mouse over the link exposes a spoofed website:,
www.criticalsecret.org/abcd.html. Navigating to this site gives the hackers access to the recipient’s computer, making it vulnerable to attacks. Hackers are also increasingly sending pictures, banners, and other graphic forms in fraudulent e-mails, asking potential victims to click on these graphics (see section 2.2.2 in www.ngssoftware.com/papers/NISR-WP-Phishing.pdf).

2. Create a Link Homepage

In addition to avoiding links in potentially fraudulent e-mails, individuals should not follow links in foreign webpages (third-party URLs that can possibly be deemed untrustworthy). A tip is to create a “link homepage”, which is an HTML page that lists the links of one’s favorite sites.

A link homepage is an actual page on the Internet created through one’s Internet service provider (ISP) that can be accessed from any computer in the world. For example, if Jane Doe’s ISP is Comcast, she could set up a hypothetical page with Comcast named www.comcast.net/janedoelink.html. Exhibit 2 shows an example of Jane Doe’s sample link homepage at Comcast. The link homepage has a list of the correct URLs of Jane’s most commonly visited sites and is deemed trustworthy because Jane herself typed in the trusted links when she created her page. All she has to do is remember the URL of her link homepage at any computer in the world with Internet access. Using a link homepage will significantly reduce the possibility of clicking a harmful link, and Jane will be able to visit her favorite websites from any computer in the world within seconds.

The link homepage should not be confused with a person’s “favorites” list that is bookmarked in a web browser. Bookmarks can be accessed only from the computer on which they were saved, whereas a link homepage can be accessed from any computer with an Internet connection. A user’s bookmarks are the ideal links to be copied over to a link homepage, assuming the links are trustworthy.

3. Encrypt and Digitally Sign E-mail with Clients

Unencrypted e-mail sent to clients can be easily viewed (sniffed) by a hacker along the path of communication between the sender and recipient. The most obvious party sniffing one’s e-mails could be the ISP, which can handle upwards of thousands of e-mails per day (see www.computer.howstuffworks.com/carnivore2.html). Most ISPs will eventually archive all e-mails they handle, and even deleted e-mail can still be accessed by the ISP later in time.

To address these concerns, all confidential e-mail should be encrypted with an e-mail encryption program. In a typical encryption system between a CPA and a client, each party will have a public and a private key, used to encrypt messages. To send an encrypted e-mail to a client, the CPA will encrypt the message with the client’s public key. The client will decrypt the e-mail with her private key to read the message. To reply back to the CPA with an encrypted e-mail, the client will encrypt the message with the CPA’s public key; the CPA will subsequently decrypt the client’s e-mail with his private key. As long as private keys are not lost or stolen, it is virtually impossible for a network sniffer to decrypt the message.

Most e-mail encryption programs also allow the use of digital signatures, the electronic equivalent of a CPA’s written signature. It is legal proof that an e-mail sent from a CPA to a client is indeed authentic and not fraudulent.

Several vendors specialize in the use of encrypted e-mails and digital signatures, either free or for a fee. Companies specializing in e-mail security include Pretty Good Privacy (www.pgp.com), Zixcorp (www.zixcorp.com), Hushmail (www.hushmail.com), Encryptomatic (www.encryptomatic.com), Tryten (www.tryten.com), and CryptoMail (www.cryptomail.org).

4. Disallow Permanent Cookies in Web Browsers

A cookie is a small text file from a website that is saved on a user’s computer during interaction with that website. A cookie can contain nonsensitive information, such as a user’s favorite actor, at a movie database, or favorite author, at a bookseller’s website. A cookie can contain sensitive information as well, such as a user’s password to a site, credit card number, or account number.

There are two types of cookies: session or permanent. Session cookies are temporarily stored on a computer and present limited risks. Permanent cookies are text files that are stored long-term on a computer and can persist for up to several years. Hackers try to steal permanent cookies through a variety of methods, hoping the permanent cookies contain users’ confidential information. Users should enable the option on their web browsers to block permanent cookies, eliminating the risks they pose.

5. Disable Scripts in Web Browsers

By clicking links on the Internet, users receive pages of hypertext markup language (HTML). The HTML may contain a small program called a script. The script is written in a scripting language, which then executes on one’s computer. Like cookies, some scripts pose no threat to a user’s computer. Many scripts, however, come from hackers and are malicious. These malicious scripts can steal data (cookies) and even change the operating system’s settings. Users should disable scripts on their browsers, rendering them unable to execute. To disable scripts, go to the security preferences in a browser and “check” the disabling of scripts. An article (with screenshots) explaining the steps involved in blocking cookies and scripts can be found at
www.aicpa.org/pubs/jofa/apr2007/leon.htm.

6. Understand Software Vulnerabilities

Many software programs can unknowingly lead to security vulnerabilities. An example is the Google desktop search bar often installed for convenience. Users may not realize that when certain options are enabled in the Google desktop, documents opened on their computer are automatically sent to Google servers. A highly confidential file may unknowingly be sent to a Google server.

Users must be aware of the vulnerabilities that installed software may contain. A suggested site to learn more about common software vulnerabilities is Carnegie Mellon’s Center for Internet Security (CERT, www.us-cert.gov/cas/techalerts). This site is updated daily with software vulnerabilities that have been found.

Another valuable site for software vulnerabilities is the System Administration, Audit, Network, Security Institute (SANS). This institute is highly respected for its vast resources on security topics, shared through training, conferences, and research. SANS maintains a yearly list of software vulnerabilities called the “SANS Top 20 Security Risks” (see www.sans.org/top20), as well as a reading room of papers written on software vulnerabilities (see www.sans.org/reading_room/).
As a security precaution, users should be vigilant in updating their software. Older versions of Microsoft products, such as Internet Explorer, Outlook E-mail, MS Office, SQL Server, and IIS Web Server, have many known vulnerabilities that can be easily exploited.

7. Install a Firewall

All communications performed over the Internet involve exchanging packets with other computers. These packets may contain e-mail messages, instant messenger chats, or HTML pages. Unfortunately, packets can contain harmful software or malware sent from a hacker. A firewall is a mechanism that screens and filters packets sent to a computer and exists as either a software or hardware firewall. Exhibit 3 shows the difference between a software firewall and a hardware firewall.

A software firewall (sometimes referred to as a personal firewall) is a packet screening program that is installed on a computer. Some operating systems (such as Windows) have built-in software firewalls but could benefit from the installation of additional software firewalls, such as the Norton firewall (www.symantec.com). In a software firewall, the packet sent to a computer is filtered upon entry into the computer. The drawback is that the software firewall must be individually installed on each computer, which could pose a problem for an office with multiple computers.

A hardware firewall (sometimes referred to as an enterprise firewall) is a separate physical device, that performs packet screening before the packet reaches a personal computer. The Juniper Netscreen-204 from Juniper Networks (www.juniper.net/products_and_services
/firewall_slash_ipsec_vpn/netscreen_204_slash_netscreen_208/
) is an example of a hardware firewall. The hardware firewall device is connected to the computer and filters malicious packets, based on specific screening criteria. Sample criteria that can be screened by a firewall include the sender of a packet or the contents inside the packet.

A packet that is deemed unauthorized or dangerous to a computer is discarded (dropped) and never physically received inside the computer. Although hardware firewalls tend to be more expensive than software firewalls, one of them can protect a whole network of computers.

8. Conduct Financial Transactions at Secure Websites Only

A secure website is one that has received a certificate of authentication from a certificate authority (CA). Businesses set up secure websites to assure their customers that the site is not fraudulent. CA companies such as Verisign, Ensure, and Thawte are designed to set up such certificates for businesses. A company can acquire different levels of certification and assurance with its certificate from a CA, as can be seen on Thawte’s website (www.thawte.com/comparison/comparison.html).

The CA is the trusted third party that will vouch for the identity of a secure website. The business entity must prove its legitimacy to the CA during its registration process. Once the business proves its identity, the CA establishes the domain name (URL) that will be used for the secure website.

Users should look for two indicators when browsing a secure site. The first is a “lock” image displayed on the webpage. Exhibit 4 shows the lock in the URL area. The second item, also shown in the exhibit, is that “https” will begin the URL instead of the typical “http.” To inspect the site’s certificate, users can click on the lock and the certificate will appear (see Exhibit 5).

A benefit of a secure website is that all Internet transactions will be encrypted using secure socket layer protocol (SSL), which is created by Netscape. An unsecured website poses the risk of being spoofed, or of a hacker sniffing the financial transaction (because communication will not be encrypted).

9. Secure Wireless Networks

In addition to having secure login passwords, wireless networks should also be encrypted. Wired encryption privacy (WEP), used for security in wireless networks, is not a secure protocol because it can be easily hacked. In choosing a wireless encryption protocol on a wireless router, users should opt for Wi-fi protected access (WPA), either WPA1 or WPA2.

Most wireless access points have an option to hide the service set identifier (SSID) broadcast stream from the wireless router or access point. When this option is turned on, hackers attempting to access wireless networks will be unable to see the hidden SSID access point in the list of wireless networks that are broadcasting. The broadcast is still occurring, but hackers will need more sophisticated equipment and knowledge to gain entry on the wireless network.

10. Install Password Management Software

Password management software programs securely manage all website and network passwords by making them randomized and encrypted. These programs also securely maintain all passwords internally so users no longer have to write down or recall their passwords to the websites they frequent. Using password management products drastically minimizes password theft. Vendors specializing in password management products include Password Safe
(passwordsafe.sourceforge.net/), AES Software (www.aespasswordmanager.com), and RoboForm (www.roboform.com).

Stay on the Defensive

An accountant should be aware of cybercrime and the tools of cybercriminals. When using the Internet to conduct business, it is best to be defensive. By taking some or all of the appropriate actions presented above, accountants can minimize potential disasters and stay one step ahead of cybercriminals.


James F. Leon, EdD, CPA, CISSP, is director of IT training in the department of computer science at Northern Illinois University, DeKalb, Ill.


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices