Should We Blame Russia for the Target Breach?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.huffingtonpost.com/michael-gregg/blame-russia-for-target-breach_b_4774536.html

Is it time to hold the Russian government responsible for the rise in
sophisticated cybercrime attacks on the U.S. economy?

As Congress recently held hearings on the Target data breach to discuss new
ways to protect consumer information and prevent future data breaches, one
key issue that should be on the table is how to clamp down on the foreign
source of these attacks. The Target breach -- possibly the largest hack in
U.S. history, affecting over 110 million consumer accounts -- used
Russian-made malware to pull it off. That should come as no surprise to
anyone. After all, some of the most notorious malware that's targeted U.S.
consumers, banks and retailers over the past few years has originated from
Russia or former Soviet states: ZeuS, Citadel, SpyEye, CryptoLocker, to
name just a few. In fact, roughly 70 percent of "exploit kits" released in
the fourth quarter of 2012 came from Russia, according to a study by
Solutionary.

Until we tackle the Russia problem, we won't make any real progress against
cybercrime. In order to stop a leaky boat from sinking, you have to do more
than just bail water -- you have to plug the actual leak.

The U.S. has already taken an aggressive stance against the Chinese
government for its ongoing cyber-espionage attacks against the private
sector. It needs to do the same with Russia. While the Russian government
does not appear to be directly behind these cybercrime activities, neither
is it doing much to stop them. A report by the Russian cybercrime
intelligence firm Group-IB cited a number of reasons for Russia's failure
to thwart the proliferation of this activity inside the country: inadequate
laws, weak penalties and legal loopholes for those convicted; a need for
more advanced investigative capabilities and better law enforcement
training; and improved coordination with other countries. In its defense,
Russian authorities did arrest the creator of the BlackHole exploit kit.
But they've failed to stop the vast majority of high-profile crimeware
rings -- from ZeuS to CryptoLocker.

Russia also has another problem: "bulletproof hosting." What is that?
Bulletproof hosting refers to the practice of protecting malware-infected
websites from being shut down by their service providers. In the U.S., for
instance, when a website is found to contain malware, there are legal
recourses to take the site offline and prevent it from being used to infect
other websites. That is not always the case in Russia -- these infected
websites are sometimes protected from takedowns, allowing cybercriminals to
thrive by having a safe platform to host their malware for infecting U.S.
consumers and businesses.

It's estimated that cybercrime (most of it appearing to come out of Russia)
costs the global economy $113 billion each year, according to Symantec.
Unlike the estimated costs of Chinese cyber-espionage (which are
speculative figures based on projected future values), cybercrime is
stealing real money from companies and consumers every day.

Russia's failure to act against the cybercrime industry operating within
its borders poses an advanced persistent threat to the U.S. economy. Our
government officials can no longer ignore the consequences of Russia's
inability or unwillingness to act. If we're going to hold China responsible
for the cyber-espionage attacks emanating from its IP addresses, isn't it
time we confront Russia for harboring the vast majority of the world's
cybercrime industry?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!