This is the transcript of my podcast interview with Yuval Ben-Itzhak of Finjan Incorporated.
David Williams: This is David Williams, co-founder of MedPharma Partners and author of the Health Business Blog. I’m speaking today with Yuval Ben-Itzhak, Chief Technology Officer of Finjan Incorporated, which is a provider of secure web gateway products. We’re talking today about the malicious page of the month where Finjan has found stolen data being traded by cybercriminals.
Yuval, it’s nice to have you here today.
Yuval Ben-Itzhak: Hi, thank you very much.
David: Yuval, can you tell me how cybercrime is evolving, and also help us understand these crimeware servers that you’re discovering?
Yuval: What we see today are criminals moving from looking for fame to looking for data. They are even shifting from attacking individuals or the consumer toward targeting businesses and health care organizations. We see this worldwide with the type of data they’re looking for, and the efforts that they are putting into collecting the data and later trading them.
David: And what are you finding in terms of how data are being collected? I’ve heard for a long time about credit card information being stolen and social security numbers and identity theft, but more recently about health care data. What are you seeing there?
Yuval: We’re starting to see that more and more of the attacks are looking for health care information. And we found that, basically, because we inspect the data on the servers. That means our researchers can put their hands on the criminal servers and look in the data. What is there? What was collected? And we started to see more and more health care information there.
These criminals manage to infect doctors’ PCs worldwide. And it can be the laptop or it can be the desktop of the health care network environment. So once this desktop is infected and the doctors login to the system –either through a Citrix system, or just reading documents, or writing any prescription, or something like that– the information is recorded using keyloggers, using screenshots that the trojans are taking. And then later they are transmitted back to the criminals and stored on other servers.
By doing that, these criminals manage to get all the medical history of patients, all the data that the doctor is looking at, or writing about, and this information, of course, has a lot of value for them.
David: Yuval, I’ve read a number of headlines in the general press where you hear about a laptop that was stolen that had millions of people’s records on it and so on. But the examples that you give here are a little bit different. You talked about Citrix and Citrix credentials. Can you, first of all, explain for the lay health care audience what Citrix is? And then, why it would be valuable for someone to have the credentials?
Yuval: Citrix is a very well known company that provides products that enable users to have remote control and remote access to a network. Usually IT and CIOs will provide it to their end users when they want to increase security to separate between the internal network and external network.
So it’s like the early days of the remote terminals that you can go from a remote, and login to a system, and do whatever you want. The Citrix presentation layer has its own benefit by doing the separation. However, once I have the login and password to this system, I have complete access to the internal network. And this is what the criminals are targeting. The trojan horses, basically (and this is what we included in the report we just released), are monitoring access to Citrix systems. They’re trying to find out the login and passwords to the Citrix interface. And by doing that, they have the key to the internal network.
So they don’t need to have a physical access to the network. They don’t need to directly compromise a server within that network. But by having the credentials to log into the Citrix interface, this interface that enables me to access a remote system, this is my key to enter your data and to put my hands on them, and do whatever I want.
David: In your report you gave examples of a couple of well known health care organizations. You didn’t mention them by name, which I can understand. But how do you find the leading health care organizations in the United States, in terms of their sophistication to be able to defend against these sorts of intrusions, compared to financial services or whatever industry you would say is most ahead in this area?
Yuval: Recently, I had an opportunity to speak with about 10 IT heads and CIOs from health care organizations in the United States. And what they told me is they’re starting to become aware of the problem. They’re currently using antivirus or URL filtering products within their system to protect them. However, they understand that the mobile users or the mobile laptops, it’s now a problem that they need to deal with.
But also, the attacks today or the methods that the criminals are using to install the malicious code can no longer be detected just by signatures, simply because these criminals are encrypting the payload. It’s called ossification technique.
And by doing that, they break all the signatures. Our antiviruses we’re using for the last 20 years, they’re breaking them dynamically. And because of that, they successfully install the [malware] on the doctor’s PC.
David: Is that different from what you would have with, say, from a loan officer or whoever the equivalent would be in a financial institution? Are they equally vulnerable, or is health care different in some way?
Yuval: They’re equally vulnerable. It’s all about the value of the data for the hacker. If the hacker can steal credit card numbers and sell them online, he will go target them. If the hacker can collect data off a patient medical history or any other health care related data and sell it online, he will go and target it. The risk is the same for the financial sector, for the health care sector.
The regulation is different. And the results of violating them or being noncompliant with them has a different impact. But for the criminal to go and bypass and infiltrate a malicious code through an antivirus, URL filtering, or intrusion detector, it’s exactly the same. And what we see based on our research and audits that we’re doing in this type of organization, today they are very successful in bypassing these types of products.
David: I wrote recently on the blog about how medical data is becoming more valuable relative to credit card data. And I speculated, but I didn’t really know, that once a credit card number, for example, was compromised the detection would be faster, and therefore, the criminal would have less of an opportunity to use the card. And that would make it different from, and perhaps less valuable than, health care data, where for example, if someone had insurance information, they could use it a long time before it was detected just because of the nature of how health care tends to be more disorganized than financial services. I don’t know if that’s an area that you get into, but would you think that that speculation is on target, or would there be other reasons why the medical information would be more valuable relative to financial?
Yuval: It definitely makes sense. There is another reason that we believe drives them now toward the health care information, and it’s the basic supply and demand rule in economics. If many hackers are offering credit card numbers for sale, the price drops. And if you go online today and you just search and Google “credit card dumps for sale” you probably are going to find many sites offering this type of data for sale.
So if many people offer credit card numbers and PIN’s, the price goes down. And this is exactly what we saw. The price went down from $100 to $20 per credit card number. So now, the criminals are looking for additional valuable data that’s not particularly rare or hard to find.
So they can charge a higher price for it until it will become a commodity like stolen credit card numbers. So this is another reason we believe it’s just a force of supply and demand in the market, and there is a value for this data, so they’re going and targeting it right now.
David: Yuval, you’ve been describing today the research that Finjan has done. Can you describe the relationship between the research side of Finjan and the sort of products and services that you offer, and what the implications would be for someone who wanted to protect themselves against these sort of difficulties?
Yuval: Sure. The research is like the visionary. They provide insights such as: Where these criminals are going, what exactly they’re doing, and how they manage to develop these types of tools. In terms of the product, Finjan sells a gateway product. It’s an appliance that you install to your network. Usually, it’s the DMZ, the demilitarized zone. It inspects the traffic of your user, either incoming or outgoing traffic, to the Internet. And the unique solution from Finjan, unlike the antivirus that looks at something as it is known and there is a signature for it, or URL filtering that is looking for where content is coming from. The Finjan technology is completely different.
It’s looking for what’s the intent behavior of the contents coming from the web, or basically what it does, what it’s about to do when it will show in your browser. Is it about to delete a file? Is it about to install software? And because of this reason, because of this behavior, our technology will be able to detect and block this content from infiltrating your network.
So the product that installs the DMZ of course connects to the entire system and authentication and caching or any other device that you’ve already got, and will be able to detect and prevent these criminals from infecting your computers. And these types of techniques today are the ones that we truly believe can prevent today’s crimeware.
David: I’ve been speaking today with Yuval Ben-Itzhak, Chief Technology Officer of Finjan Incorporated. Yuval, thanks for your time today.
Yuval: Thank you very much.