Speaker: Hackers Are on the Offensive, Have Time on Their Side

Chris Gaetano
Published Date:
May 23, 2017
Internet Crime

Andrew Pak, an assistant U.S. attorney in the District of New Jersey, walked his audience at the Foundation for Accounting Education's (FAE) Forensic Accounting and Litigation Services Conference today through the many tools and methods used by criminal hackers across the world and shared some of his tips on how CPAs and their clients can protect themselves. 

Pak is the computer hacking and intellectual property coordinator in his district, and one of the points he impressed on his audience is that hackers today will use any attack that works. It used to be, said Pak, that hacking culture had a certain pride of authorship, where people consistently used certain methods in order to demonstrate their mastery of the technique to gain prestige within the community. Individual actors could be identified through the use of a specific tool that wound up becoming their signature. Pak said these types of hackers are a dying breed. Nowadays, he said, it's more about finding some way, any way, to gain access to the system and monetize the information inside, with malware often bought from other hackers taking the place of custom software designed by the original actor.

This change, he said, has made prosecuting hackers a little more complicated. Today, he said, it's like trying to identify who made an iPhone. Modern hacks utilize so many different players, each making individual pieces of a product, that it's really difficult to connect them into a unified narrative. People sell things like database access, services to make malware less detectable, even copy editing services for someone's phishing emails, but their involvement with the hack ends once they have their money. 

"There's so much out there in terms of services that it's really hard to identify something just because of the method of entry or a single thing used, because you're dealing with one service used by a larger [group]," he said. 

For example, he brought up three major hacks: Businesswire, PR Newswire and Marketwire, all of which distribute press releases for major public companies. Hackers, over the course of years, broke into all three with the intention of getting the draft press releases, which they could then sell to traders who would act on the information ahead of the market.

Marketwire was broken into through a database exploit developed and used directly by the people hacking the company; they tricked the database into giving them the draft press releases. The group also planted a type of software called a "reverse shell," which allowed them to directly enter commands into the network; they used these commands to glean client and employee credentials. Eventually, the company realized it had been compromised and replaced its servers, at which point the group began using phishing attempts to regain entry. Authorities were eventually able to deduce that the group was from Ukraine, and so they asked Ukrainian authorities to search the homes of the hackers and recover their computers. The computers contained enough information to eventually charge and extradite the members of the group. This, he said, was one of the more simple and direct cases. 

In contrast, the PR Newswire hack was more complex. Hackers purchased employees' personal information from another group; that information had been acquired through an unrelated attack on a social networking site. The hackers guessed, correctly, that at least some employees used the same password between their social network profile and their employee credentials. Once they were in, they planted malware that allowed them to access draft press releases. 

"We're looking at very different methods of entry. One is straight hacking. The next is purchasing stolen credentials from a completely different intrusion and using that to crack someone's passwords," he said. 

The Businesswire hack, he said, was even more complex. Hackers purchased database access from another group. While they were not able to directly access the draft press releases, they were able to get the passwords of about 300 workers (while the passwords were encrypted, he said they had tools to get around the encryption). They also stole internal documents listing the position and contact information for over 500 employees. From there, they spent years studying the company's internal dynamics so they could eventually craft phishing emails custom-tailored for specific employees, all to eventually get at the real target, the draft press releases. 

"If it's a big company, you can figure out who reports to who and who doesn't want to keep their supervisor waiting on certain things. There's a lot of ways this information can be leveraged," he said. 

Pak warned his audience that this new generation of cyber criminal can be extremely patient. While there are plenty who do the digital version of the smash and grab, others can spend years planning their heist, then even more years enacting it. The Marketwire and PR Newswire hacks took place between 2010 and 2013, while the Businesswire hack took place from 2012 to 2015. He said he's read reports of cyber incidents where the planning alone took eight years. Unfortunately, he said, time is on their side and they know it. 

"These people are diligent. Now there are hackers out there going for the low-hanging fruit and [the] easy out, but there are also hackers out there with a particular target in mind who want the information from that target and steal that information. And speaking with a number of them, a lot of the time the planning goes on for years before they start hitting the keyboard, before touching the particular network. ...It's not just someone finding an exploit and get[ting] in. Unfortunately, they're on the offensive, and time is on their side," he said. 

Another unfortunate consequence of today's world is that there is so much more information to protect. A company might think that the only thing it has to worry about is its own servers, but he said that the "surface area" is much more broad. Companies need to worry about not just their own networks but those of their employees: their computers at home, their social media accounts, both their work and their personal email accounts and any other access point that could theoretically provide entry to the system. And, said Pak, there's not that much people can do about it. 

"What will you do, lock down your employee's Yahoo account? You can have policies to block people posting work stuff in their Yahoo account, but it's going to happen; you can't rely on that if you want to protect your network," he said. 

Attempts to find perfect network security, he said, are akin to wondering how to make sure your child doesn't get sick ever. It's simply not possible. 

"I know because I have a two-and-a-half-year-old and have never been sicker in my life, so understanding that is important," he said. 

Pak warned his audience that if anyone comes in trying to sell them perfect network security, a set-it-and-forget-it system that needs no maintenance, there's something that person isn't telling them. That sort of thing does not exist: Pak said any tool can be circumvented or overcome. Not that this means every tool is useless, though. Continuing with the sick child analogy, he said that while washing your hands won't protect you from every single possible disease out there, it can help. He asked that the audience just be aware of the limits. 

While it's very hard to prevent a dedicated hacker from accessing a system, he said that it's possible, at least, to not be the low-hanging fruit that more casual cybercriminals look for. He noted that if you're with a bunch of people and are being chased by a bear, you don't have to be the fastest person; you just can't be the slowest. 

First, he said, understand that your personal data is out there. He told his audience to got to FamilyTreeNow.com and look themselves up. It's very likely there will be a full name and address of every attendee and his or her entire family. While some of the sites can be opted out of, others cannot, so he urged his audience to avoid disclosing personal information online. 

He also advised proper password management: Have a meaningfully different password for every single account you have, never save your password to a browser, and use two-factor authentication for any site that offers it. Further, he told his audience that encryption is not magic and so people should not rely on it too heavily. Even encrypted passwords, as demonstrated in the Businesswire hack, can be cracked. 

"Learning and maybe applying some of the things you learned in the situation will put you just a little ahead of the other folks, so you're not the low-hanging fruit," he said. 

Despite such measures, he was blunt in saying that everyone either has been or will be hacked at some point in time. In this respect, it's important to monitor for the symptoms of being compromised: For example, he advised his audience to regularly check their credit scores and bank accounts to make sure everything looks okay. This way, at least, they can be aware of an incident if it happens. 

Click here to see more of the latest news from the NYSSCPA.