This Week in Cybercrime: What Do We Know about the South Korean Cyberattack?

Clues But No Conclusive Evidence

What do we know about this week's cyber-attack on South Korean broadcasters and banks? We know that it was a coordinated attack that hit roughly 32 000 computers on 20 March at 2pm local time. We know that it took several hours to restore online banking services for Nonghyup Bank and two other banks and to get the companies’ ATMs up and running. And although TV broadcasts by YTN, a 24-hour news channel, and two other networks were not affected by the attack, the networks’ computer servers may have suffered severe damage. Researchers have also figured out that the malware was programmed so that when the clock struck two, it would disable a machine’s security software, determine which version of Windows its host was running, and begin corrupting the hard drive. According to researchers at FireEye, the malicious code then overwrote all the hard drive contents. After wiping the hard drives and master boot record, the program forced a reboot that turned the computers into high-tech paperweights. According to a Wired article, the malware “also included a module for deleting data from remote Linux machines. The malware searched for remote connections and used stored credentials to access Linux servers and wipe their master boot record.”

Another piece of the puzzle, provided by security firm Trend Micro, indicates that its researchers detected a phishing email sent to South Korean organizations on the day before the attack. That come-on, ostensibly from a bank, had an attachment laced with a Trojan. This leads Trend Micro to think that the hackers had taken advantage of their own form of just-in-time delivery.

What we don’t know for sure is where the attack originated. The knee-jerk conclusion most observers jumped to is that North Korea had begun to make good on the threats it had been issuing since it was hit with UN sanctions following a nuclear test in February. It wasn’t long before China became the focus of suspicion. But as investigators dug deeper, South Korean government officials who initially said they traced the attack to a Chinese IP address had to admit a certain level of uncertainty. The IP address turned out to be one used internally by NongHyup Bank, one of the victims of the attack. South Korea’s Communications Commission said it belatedly discovered that by a freak coincidence, the address matched one registered in China. But South Korea still hasn’t taken North Korea off its list of suspects because this wouldn’t be the first time its neighbor to the north targeted the country’s media, banks, and government agencies. Seoul is still smarting from the so-called “Ten Days of Rain,” a 2011 denial of service attack for which it blames the Pyongyang government; the attack is said to have been an elaborate scan of South Korea's computer defenses.

Cyberattacks Kill Small Businesses

We hear all the time about mega corporations having their (and their customers’) pockets picked by cybercriminals. But a Wall Street Journal article published this week focused on a subset of cybercrime that rarely makes news. U.S. House of Representatives’ Small Business Subcommittee on Health and Technology held a hearing on Thursday devoted to the issue of "Protecting Small Businesses Against Emerging and Complex Cyber-Attacks." Though big companies with deep pockets may make for enticing targets, many cybercrooks prey on firms they consider to be low hanging fruit. During the hearing, subcommittee chairman, Rep. Chris Collins, (R-NY), cited a survey reporting that 20 percent of all cyberattacks were aimed at businesses with 250 or fewer employees. Worse, said the study, close to 60 percent of small firms that are victims of cybercrime go out of business within six months of their systems being compromised. It’s easy to see why small companies don’t bounce back like companies such as Sony, Google, and LinkedIn. Among the experts who testified at the hearing was Dan Shapero, founder of IT company ClikCloud. Shapero reported that a data breach could cost a company $214 per compromised customer record, enough to drive a small business into bankruptcy.

MPAA Wins the Day, BitTorrent Sites Have to Pay

On Thursday, a three-judge panel of the 9th U.S. Circuit Court of Appeals ruled that the distribution of movies, songs, video games, and software by BitTorrent file-sharing services IsoHunt, TorrenTBox, and Podtropolis violates U.S. copyright law. Furthermore, said the judges, the services are liable for monetary damages. The decision [pdf] marks the first time a U.S. appeals court has ruled against BitTorrent search engines.

Gary Fung, owner of IsoHunt, argued that his company was, like Google, merely a search engine, and thus, under the umbrella of the Digital Millennium Copyright Act’s safe-harbor provision that keeps Internet companies off the financial hook for illegal content posted by their users as long as it is taken down at the rights holder’s request. But the judges drew a distinction between the BitTorrent sites and Google, noting that the sites’ business model made copyright infringement the primary goal. “This ruling affirms a core principle of copyright law: Those who build businesses around encouraging, enabling and helping others to commit copyright infringement are themselves infringers, and will be held accountable for their illegal actions,” Henry Hoberman, a vice president for the Motion Picture Association of America, told Wired. The MPAA began its legal pursuit of the BitTorrent sites in 2009.

How much might Fung be on the hook for? The U.S. Copyright Act lets courts award damages of up to $150 000 per infringement. So, a quick, back-of-the-envelope calculation yields a worst-case figure of, oh, say, a bazillion dollars.

Apple Tightens iTunes and App Store Login Security

Though iTunes and Apple App Store accounts don’t contain state secrets or corporate trade secrets, no one wants to find out that someone else has hacked into and taken control of his or her playlists—or worse, gleaned information that could be used to steal their money or identity. To that end, Apple has made gaining unauthorized access to those accounts more difficult with the introduction of a two-factor authentication system like the ones banks use for online access. Actually, the new system mirrors the one Google uses for Gmail: When someone attempts to log in to an account from a computer, tablet, or handset other than one the account holder registered as a trusted device, a four-digit code is sent via text to the account holder’s phone. Gaining access requires entering the account password along the numeric code.  

The new system, however, is not enabled by default. Users can turn it on in their Apple ID settings under the Password and Security option.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement