|More Security Articles on CIO Upate|
The Five Most Common Misconceptions of Enterprise Security
Misconception No. 2: Believing the Hype of Technology and Tools
Misconception No.4: Assuming Secure Software is Costly
"It's not people looking to get their hands on a new laptop, it's people looking to get their hands on the data of specific company," said Ed Adams, CEO of Security Innovation. "So it is a form of a targeted attack, a targeted social engineering attack, taking advantage of Starbucks and the proximity to companies."
In the past six months, Adam's firm has been retained by two very large, East coast companies in an effort to reverse engineer what happened to their employee's laptops and to help put in place measures to thwart future incidents.
The way the attacks work is an employee at the targeted firm is identifiedusually an executive. His or her habits are tracked. When they frequent a nearby Starbucks, the perpetrator waits and watches. As soon as the opportunity to make off with the target's laptop opens uplike when they go to place an orderthe laptop is swiped.
"I remember reading (something) not too long ago where people would actually stake out certain Starbucks knowing that people from Company 'X' frequented it at lunch time just looking for laptops , said Dave Marcus, Security Research and Communications manager for McAfee Avert Labs and the man who coined the term "Starbucks Stalkers."
"That's not exactly high-end crime. It's really dumpster diving when you come right down to it."
How widespread the problem is is hard to define since many targets will see the theft as a one-off incident; never connecting the theft to the data, said Andrew Berkuta, senior security evangelist at McAfee.
"If we look at the animal kingdom, we're just going to our favorite watering hole," said Berkuta. "Again, it's conservation of resources, (criminals are) not going to track (a target) across a complete city if they know they're going to the same coffee house."
And it's not only the loss of the laptop and it's data that is a problem. Using the target's contact lists, customer information, forms and other documents, criminals are launching very successful, surgical phishing campaigns that net a very good response rate because the recipients think they are dealing with a trusted source.
Berkuta calls this "barrel phishing" because it's "just like fishing in a barrel."
"Given a thread of truth in a phishing (attack), either a letter like a postal letter or an email or some type of document that somewhat looks legitimate, people may act on it in a higher hit rate than just sending a mass mailing," said Berkuta.
Two other somewhat less targetedbut no less dangerousattacks are also taking place at Starbucks, said Adams.
One is what he terms "Starbucks Skimmers," where culprits bring in RFiD readers to snag the name and credit card numbers off of cards that have RF (radio frequency) chips embedded in them; like many new bank cards and the Mobil SpeedPass type of key fobs."And unfortunately (with) RFiD the security is lagging far behind You know what the worst part about this? The companies that are rolling this out they are promoting it as an additional security measure but it's two steps back for security because now you are transmitting your information in a three-foot sphere to anyone that wants to listen to it," said Adams.
The other activity is WiFi hunting. Similar to war-driving, criminals will bring portable wireless scanning devices into a Starbucks that search for open laptop ports. Once an open port is located, scripts and other Trojans are downloaded onto the unsuspecting person's laptop. The next time they log on somewhere, the script and its payloadkeylogger, botnet, virus, whateverlaunch.
While these events can happen just about anywhere, Starbucks are particularly targeted because of their success at branding themselves as, more or less, the WiFi café of choice for busy, business professionals on the go.
"In one instance it started because they couldn't get a meeting room in their offices so they said, 'Let's just go to Starbucks down the street.' And then it became a habit and, unfortunately, patterns are things criminals look for," said Adams. And, even more unfortunate, this particular group got up togetherleaving their gear unattendedto order.
To thwart these persistent and inventive spooks, Berkuta suggests three basic security measures:
"Each (security measure) has a weakness and a strength," said Berkuta. "In concert with each other, when they work together, you have a pretty resilient system to keep you laptop in a pretty secured fashion."