Thousands of security threats happen every five minutes

hooded-hacker-with-laptop image

The pace at which businesses now find themselves operating has allowed for the files on a network to be encrypted and beyond an organisation’s reach in just five minutes.

In just five minutes, files on a company’s network can be encrypted and beyond its reach, according to Rik Ferguson, vice president of Security Research at Trend Micro.

Trend Micro has seen a lot of development around ransomware capabilities targeting businesses rather than consumers, Ferguson said during his keynote speech at Cloudsec Australia 2016 in Sydney on Thursday, with 1,800 new threats released out into the wild every five minutes.

Additionally, he said that more than 800,000 people are exposed to malicious URLs, exploit kits, phishing websites, malware, spam, and threats every five minutes, with almost 7,000 records on average being exposed in the same timeframe.

“Just so we can measure the speed of things, the fastest trains today … can reach top speed of about 450km/h. That means in five minutes, you can travel close to 40 kilometres. That’s an incredible distance to be able to go in a very, very short period of time,” Ferguson pointed out.

“It gives you an idea of really how short that time is. In five minutes, [aside from] propelling you across the surface of the earth, it can also result in a number of other things.

“If you were hit by a crypto ransomware attack, within five minutes, all of the files on your computer or the files, god forbid, on all of the computers on your network … can be encrypted and beyond your reach unless you paid criminals some money.”

Ferguson said that universities, corporations, individuals, and healthcare organisations are all being targeted by ransomware that is being developed with specific capabilities to target enterprise.

“Ransomware used to be a consumer thing that would go after your computer, your things, and encrypt all that knowing that if you wanted to get all the files back, you were going to pay the ransom,” he said.


“Over the course of the last calendar year, we saw 29 new families of ransomware, which was already a huge jump on the 13 in the year before that. In the first half of this year, we’ve already seen 79 new families of ransomware, which is a massive increase.”

He said that criminals are investing time, money, and expertise into creating new tools, tool kits, and delivery mechanisms to get ransomware out there, because “this stuff pays dividends”.

“One of the Trend Micro competitors out there, a startup, is offering a ransomware guarantee — but their guarantee is not you’ll never get hit by it; it’s that if you do get hit by it, they’ll pay the ransom for you. That’s a cybersecurity company offering to give money to criminals,” he said.

Over the last few years, Trend Micro has also seen an uptake in what Ferguson called business email compromise, or CEO fraud, which he said is a basic scam that pays criminals a lot of money.

“It’s really simple. It’s a criminal doing the research upfront, identifying the target organisation, looking at who fulfills which role, and then sending a fake email into that company or compromising a mailbox that belongs to an employee of that company,” he said.

“[The criminals] target an email of the right victim, quite often the CFO or someone responsible in the finance department of the business, with requests from a known colleague to pay outstanding money or wire transfer money to a third-party supplier, often abroad, who is fictitious.”


He said this practice has been hugely successful, with $2.3 billion lost to CEO compromise or fraud between 2013 and 2015, with an estimated 79 different countries being affected.

“A certain Australian government department, local council, lost over AU$200,000 to this scam by paying fake invoices. That’s AU$200,000 of your money, I guess, at the end of the day,” he said.

“Australia is not immune. You have the — I don’t know if it’s the good fortune or the misfortune — to speak one of the most simplest and widespread languages on the planet, and it’s the most-targeted language when it comes to cybercrime globally.”

Aside from being a VP with Trend Micro, Ferguson is also special adviser to Europol, project lead with the International Cyber Security Prevention Alliance, vice chair of the Centre for Strategic Cyber Security and Security Science, and an advisor to various UK government technology forums.

Also speaking at Cloudsec Australia 2016, Timothy Wallach, Supervisory Special Agent Cyber Taskforce with the FBI, said the two most significant increases the FBI has seen over the last couple of years has been ransonware or extortion, and business email compromise.

“This is probably the reason why we are seeing a decrease in the number of records stolen, because these schemes are much easier to monetise than compromising a network, stealing information, getting it to the dark web, and eventually on an online market,” he said.

When it comes to consumer ransomware, Wallach said the requested amount is somewhat affordable, at around $450 to $500. However, this is a lot different in an enterprise environment, as the ransom is usually based on the number of endpoints or the servers that are compromised.

“If an organisation has 30,000 endpoints in its network and potentially that many endpoints have been struck with ransomware, it’s generally 30,000 times one bitcoin,” he said.

“The FBI does not recommend paying your ransom. That’s a business decision an organisation has to make.

“When organisations pay ransom, they’re involved in the criminal activity. It’s encouraging the scheme to continue.”

Additionally, Wallach highlighted that paying a ransom does not always mean that you are left with a clean system, or that everything an organisation had initially lost has been recovered.

“Whatever infected your organisation in the first place is still there,” he said. “What we do recommend is prevention, business continuity, and remediation.


Henry Sapiecha

We should widen protection for whistleblowers, offer financial rewards say supporters

Whistleblowers have long suffered from limited protection.

The limitations of legislation, in Australia and overseas, have become more apparent in the wake of the the Panama Papers, Swiss Leaks and Lux Leaks. All were based on revelations of wrongdoing from individual whistleblowers, not tax authorities.

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions image (2)

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions.

In the May budget the Turnbull government, under public pressure to take a tougher stance against tax dodging, announced it would introduce whistleblower protection for people who disclose information about tax misconduct to the Australian Taxation Office.

The Corporations Act already has some protection for those who make disclosures to corporate watchdog ASIC, but it is limited and does not apply to tax misconduct information given to the ATO.

Panamanian law firm Mossack Fonseca,image

John Doe’, the anonymous source who handed German newspaper Süddeutsche Zeitung internal data belonging to the Panamanian law firm Mossack Fonseca, wants whistleblowers to have immunity from government retribution. 

“Whistleblowers will have their identity protected and will be protected from victimisation and civil and criminal action for disclosing information to the ATO,” the headline government announcement said, without offering detail about how such a scheme would work.

Those who speak out face threats

Transparency International says despite their critical role in uncovering corruption and other malpractice, “too often people who speak up in the public interest face threats, intimidation and lawsuits”.

‘John Doe’ – the anonymous source who handed German newspaper Süddeutsche Zeitung (and in turn the International Consortium of Investigative Journalists) internal data belonging to the Panamanian law firm Mossack Fonseca in a manifesto released earlier this year called for whistleblowers to be given immunity from government retribution.

“Until governments codify legal protections for whistleblowers into law, enforcement agencies will simply have to depend on their own resources or on-going global media coverage for documents,” he wrote.

Jeff Morris blew the whistle image CBA.

Jeff Morris blew the whistle at CBA. 

Bradley Birkenfeld, who was awarded $US104 million in September 2012 for information that lead to US authorities chasing down Swiss bank UBS and other banks facilitating tax evasion, has previously expressed similar sentiments.

Birkenfeld, who himself served prison time for his crimes, said: “If whistleblowers are afraid to bring information to the authorities for fear of prosecution, they will stay silent, bank secrecy will continue, and illegal offshore tax havens will operate free of scrutiny, taking money out of taxpayers’ pockets, and making the super-rich even wealthier.”

Antoine Deltour is now on trial for “stealing” and leaking documents about how Luxembourg granted secret “sweetheart” tax deals to multinationals including Apple and IKEA (the French journalist Edouard Perrin, who Deltour leaked to is also on trial), but at his trial he said it was a “necessary evil”.

Beefing up the Corporations Act

Closer to home there’s also been discussion about how to beef up the Corporations Act to improve protection for whistleblowers.

Too often people who speak up in the public interest face threats, intimidation and lawsuits

Transparency International

Jeff Morris who exposed the Commonwealth Financial Planning Limited scandal reported by Fairfax Media, told a recent Senate hearing that Australia needed a scheme, similar to the United States, where whistleblowers who disclose corporate misconduct get rewarded.

He says when he took the allegations against CBA to ASIC in 2010, he was told in as many words, ‘Thanks for sacrificing yourself.’ “[He was] just being frank’ about the limitations of the whistleblower protections,” Morris said. “The whistleblower protections basically, as he said, [are] not worth much.”

The Senate Economics References Committee has released a paper calling for greater protection for local whistleblowers, including protection for those who come forward anonymously. The government has noted its suggestions, but as yet, has not made any changes.

A.J. Brown, Griffith University’s leader for Public Integrity & Anti-Corruption in the Centre for Governance and Public Policy, who has worked with regulators including ASIC on how to improve protection for whistleblower, says that the level currently offered under the Corporations Act is inadequate.

He welcomes the budget announcement, but hopes it is not just a “thought bubble” that results in no useful policy. “The question the government should be asking is; ‘is there a way of doing this that encourages people to cover all types of information, not just tax misconduct,” he says.

Rewarding whistleblowers

He also wants financial rewards for whistleblowers who give information that leads to prosecutions. In the United States, under the Internal Revenue Code, a whistleblower can receive 15 per cent to 30 per cent of the amount collected by the IRS.

Maurice Blackburn lawyer Josh Bornstein says a reward system would increase the chance of people coming forward. “If we are to improve corporate culture, whistleblowers should be rewarded and seen to be rewarded,” he says.

Tax Justice Network spokesman Mark Zirnsak says since 2008 the IRS recovered $4 billion through whistleblowers exposing tax evasion. “Whistleblower protection and reward should also apply to other forms of corporate wrongdoing, such as bribery, fraud and embezzlement,” he says.

But not everyone is supportive of a reward system. Herbert Smith Freehills partner Andrew Eastwood says rewards leave a “real risk that you may in fact be rewarding people who were in some way involved in the misconduct”. But he does support greater protection for whistleblowers under the Corporations Act.

Chartered Accountant’s tax leader Michael Croker also warns “whistleblowers will not always have clean hands and immunity, or reduced sentences, become an issue in such cases”. Nevertheless, he says there’s elements of the US model, including specialist IRS teams that deal with whistleblowers, Australia may be able to adopt.

Professor A.J Brown says the government has a real opportunity to revamp legislation to give genuine protection to whistleblowers. “If it’s not done properly, it ends up being window-dressing. That’s what we need to avoid.”​


Henry Sapiecha