Monday, March 30, 2009

Thoughts on GhostNet

I thought it would be useful to provide some concluding thoughts on GhostNet as a means to wrap up today's in class discussion.
  • Its important to note that the real work in these type of social malware attacks is not in the vulnerability discovery and exploit creation process. Rather the real work is in the social engineering phase - that is the research conducted that enables the hackers to design an email, or other form of communication, that convinces the target to infect him or herself.
  • While these attacks illustrate an attack on confidentiality, from a technical perspective there is nothing that prevented the hackers from attacking both integrity and availability. In the case of GhostNet, it is highly likely that the hackers were interested only in stealing information and therefore did not want to alert the targets to their presence by conducting a denial of service attack or by altering the function of the targeted network.
  • While there is both technical and circumstantial evidence that attributes these attacks to China, there is not necessarily enough evidence to attribute these attacks to the Chinese government.  The fact that the botnet was not encrypted and that the command and control servers were openly accessible appear to indicate that a traditional government organization tasked with espionage was not directly responsible for carrying out the attacks.  Nation-states would typically guard their sources and methods with zeal in an effort to protect its access to intercepted communications.  That the GhostNet was openly accessible appears to indicate that patriotic hackers were responsible for the attacks. However, this does not mean that the patriotic hackers were operating with the implied consent of the Chinese government and providing the stolen information directly to Chinese intelligence.

More on GhostNet

F-Secure provides some excellent insight into the backdoor used in the GhostNet attacks.  Most of these backdoors were built with modified and obfuscated versions of a Remote Administration Tool (RAT) known as Poison Ivy.

More screenshots of the Poison Ivy tool can be found here.

Malware and Spam by Country

In response to one of your classmates questions about why certain countries produced more malware and spam than other countries I thought it would be useful to lay the groundwork for that discussion with some facts.  In 2007, PandaLabs provided the following breakdown on Malware Friendly Countries.

Additionally, Spamhaus provides the following current breakdown of Spam producing countries.

The 10 Worst Spam Origin CountriesAs at 30 March 2009
RankCountryNumber of Current
Known Spam Issues
United States1548
Russian Federation314
United Kingdom233
South Korea213

Why are certain countries more prone to malware and spam production?  Are the reason solely technical?  Do cultural and legal factors play a role?

When considering these questions it is useful to analyze the breakdown of Internet users worldwide. currently supplies some useful statistics that illustrate Internet usage around the world.

China's Cyber Spies

The following video interview conducted by CNN in 2008 illustrates how China's "patriotic hackers" work with but not necessarily at the direction of the Chinese government.

The full CNN story is available here.

Don't Believe the Hype

From Panda Labs

Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st. It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious. But I also want to say that perhaps it does more harm than good. Let go back over the issues that are flying around the world. Regarding the damn date… will Conficker be activated 1st April? No. But it will do something that day, won’t it? Yes, Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then 1st April? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware.

I couldn't agree more with this opinion. While Conficker is a very large botnet, we've seen large botnets before. The Storm worm built a botnet comprised of million of infected computers just last year and I'm willing to bet that none of you noticed. Bottom line is that Conficker likely won't break the Internet - in fact I doubt any of you will even notice any effects from it.

Read the rest of PandaLabs report on Conficker here.

Sunday, March 29, 2009

CNN Reports on Ghostnet

See the following two videos that describe the Ghostnet cyber espionage network. Pay particular attention to Rafal's interview in the second clip. Having worked with Rafal in the past I can attest to his sharp intellect, attention to detail, and vast experience.

Saturday, March 28, 2009

60 Minutes on Conficker

While this CBS piece is focused on the Conficker worm, it serves as a great overview of how cyber attacks have evolved and targeted Web 2.0 technologies.

More Chinese Cyber Espionage?

From the New York Times,
A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved
Pay particular note to how this particular spy network was created. According to the article,
Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.
This is of particular importance because it demonstrates how easy it is to conduct cyber espionage.

See the rest of the article here.

UPDATE: See a full version of the University of Cambridge's report entitled The snooping dragon: social-malware surveillance of the Tibetan movement

See a full version of the Information Warfare Monitor's report entitled Tracking Ghostnet

Weekly Roundup

Tuesday, March 24, 2009

Facial Recognition on Facebook

From ReadWriteWeb,
This morning, announced that they're bringing advanced facial recognition technology to Facebook by way of a new application called Photo Finder. Using proprietary facial scanning algorithms, this application scans through your photos and those public photos belonging to your friends in order to identity and suggest tags for the untagged people within them. The results of these scans are highly accurate - almost frighteningly so - and should lead to some interesting discoveries as the app spreads through Facebook when it finally becomes public.
You can read the rest of the piece here ...

There are obviously alot of potential privacy concerns with this application. According to the article, "the company has taken great strides to make sure that its application respects your privacy." While it does appear the company has established a menu of "privacy controls" in the application, as we've discussed in class these controls can never fully prevent issues of distortion and secondary use.

What are your thoughts? Would you install this type of application on your facebook profile?

Monday, March 23, 2009

More Pwn2Own

Following up on one of your classmates comments regarding the recent Pwn2Own competition at the CanSecWest Conference I thought it would be useful to provide links to Ryan Naraine's interviews with two of the competitors Charlie Miller and Nils.

Its particularly interesting to note Nils and Miller's contrasting views on security research. Nils stated,
Vulnerabilities are only valued highly by companies or organizations who aren’t interested in getting them fixed. I don’t want to participate in that. I like to see my bugs gets fixed. During the two days [at CanSecWest], I was able to sit with vendors like Microsoft and Mozilla to work on getting these things fixed. I’m not interested in selling bugs to strange organizations. Those are the people paying high prices but they’re also not interested in getting them fixed.
In contrast Miller stated,
I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.
There is also fascinating detail in these interviews regarding the vulnerability discovery and exploit creation process of security research. For those of you interested in the technical aspects of security research I highly recommend reading these interviews.

Sunday, March 22, 2009

Weekly Roundup

New new anatomy of a hack

Richard Stiennon details the changing dynamics of how hackers attack their chosen targets. The following slides summarize Stiennon's analysis, but his entire post is a compelling read and relates to alot of what we have discussed in class.

Thursday, March 19, 2009

Grey Goose Phase II Report

While you were slaving away on your mid-terms and then lounging around on Spring Break I was busy working away with my colleagues on Project Grey Goose. We just released the public version of our Phase II report. The report covers the ongoing Israeli-Palestinian cyber war and Russia's cyber war capabilities. You can view the report here - Our guest speaker for this Monday's class, Rebecca Givner-Forbes, also participated in this report.

Safari hole exploited in seconds at security conference

From C-Net:

The security expert who won $10,000 hacking a MacBook Air in less than two minutes last year won $5,000 on Wednesday by exploiting a hole in Safari in 10 seconds or so. Charlie Miller, principal security analyst at Independent Security Evaluators, used a MacBook running the latest version of the Mac OS as part of a contest at the CanSecWest security conference called "Pwn2Own," which is hacker slang for gaining control of a computer.

My advice - Get Firefox

Wednesday, March 18, 2009

Privacy Group Asks F.T.C. to Investigate Google

According to the New York Times, "The Electronic Privacy Information Center formally asked the Federal Trade Commission on Tuesday to investigate the privacy and security safeguards of Gmail, Google Docs and other so-called cloud computing services offered by Google to consumers."

As cloud computing services become more popular, it is important to understand that security breaches can and do occur in these services. Google and other cloud computing service providers will tell you that their services are more safe than storing data on your own hard drive. However, recent incidents, including Google's admissions that some Google Docs users had their private data exposed to others, call these claims into question.

There is no question that cloud computing holds tremendous promise, but until security and privacy questions about these services are more fully resolved I do not recommend throwing out your hard drive anytime in the near future.

Tuesday, March 3, 2009

Surveillance Self-Defense

The Electronic Frontier Foundation has just launched a new project entitled Surveillance Self-Defense (SSD). Check out the SSD website - The EFF has compiled a great resource on how to technically and legally protect your personal information. Enjoy.

Monday, March 2, 2009

Phishing on Phacebook

We discussed how phishing schemes are designed to trick users into downloading malware onto their desktops. Phishing schemes are typically delivered via email and are designed to appear as a valid communication from a trusted source.

For example, we discussed the ever present email from "PayPal" that requests the recipient update their user account. Inside of allowing the user to update their account this PayPal phish will redirect the target to a server under the phishers control.

A new type of phishing scheme that targets social networking sites as opposed to email is now on the loose. According to Kapersky Labs the koobface virus, "

creates spam messages and sends them to the infected users' friends via the Facebook site. The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others. Messages and comments on MySpace and Facebook include links to http://youtube.[skip].pl. If the user clicks on this link, s/he is redirected to http://youtube.[skip].ru, a site which purportedly contains a video clip. If the user tries to watch it, a message appears saying that s/he needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim machine; this file is also a network worm. The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines, and vice versa.

Facebook and other social networking sites are ideal vectors for phishing schemes because users of these sites tend to trust communications from their friends. My best advice is to always be skeptical of messages with embedded links or downloads even if they were sent by your friends.