Monday, December 6, 2010

Cybergang infects all ATMs in Russian city

from help net security ...

A group of fraudsters has been arrested in Yakutsk and Moscow for allegedly compromising all the ATMs in the city of Yakutsk - population: around 210,000 - in the Republic of Yakutia in the Russian Federation.

Three of the men formed the actual criminal group, and the fourth - a Moscow-based malware developer - was "subcontracted" by them and received 100,000 rubles (some $3200) to develop a a custom ATM virus with which they would infect the devices.

Every man had his role in the operation: one who used to work as a head of an IT department obtained access to the ATMs, the second one - a system administrator - infected them, and the third one was supposedly intended to be the money mule.

According to the press release (Google translation) issued by the Ministry of Internal Affairs' cybercrime division, a coordinated raid of the three's apartments led to their arrest and the confiscation of copies of the malware and credit card information that - according to the investigators - they didn't have time to take advantage of.

The malware author was arrested in Moscow a week after. All four have been detained and will likely be charged for creation, use and distribution of malicious computer programs, and hopefully fraud.

this is not good .....

Thursday, November 18, 2010

Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

From the National Defense Magazine ...

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terabytes of data after the traffic entered China.

The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship Nov. 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.”

Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”

The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes April 8, China Telecom Corp. told many ISPs of the world that its routes were the best paths to send traffic.

For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data routed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.

This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect.

Also, the list of hijacked data just happened to include preselected destinations around the world that encompassed military, intelligence and many civilian networks in the United States and other allies such as Japan and Australia, he said. “Why would you keep that list?” Alperovitch asked.

The incident involved 15 percent of Internet traffic, he stressed. The amount of data included in all these packets is difficult to calculate. The data could have been stored so it could be examined later, he added. “Imagine the capability and capacity that is built into their networks. I’m not sure there was anyone else in the world who could have taken on that much traffic without breaking a sweat,” Alperovitch said.

McAfee has briefed U.S. government officials on the incident, but they were not alarmed. They said their Internet communications are encrypted. However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited.

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.

“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.

No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch noted. “It did not make mainstream news because it is so esoteric and hard to understand,” he added. It is not defined as a cyberattack because no sites were hacked or shut down. “But it is pretty disconcerting.”

And the hijacking took advantage of the way the Internet operates. “It can happen again. They can do it tomorrow or they can do it in an hour. And the same problem will occur again.”

Monday, November 15, 2010

The Plan To Quarantine Infected Computers

From Bruce Schneier's column at Forbes Magazine ...

Last month Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update users' computers so they could rejoin the greater Internet.

This isn't a new idea. Already there are products that test computers trying to join private networks, and only allow them access if their security patches are up-to-date and their antivirus software certifies them as clean. Computers denied access are sometimes shunned to a limited-capability sub-network where all they can do is download and install the updates they need to regain access. This sort of system has been used with great success at universities and end-user-device-friendly corporate networks. They're happy to let you log in with any device you want--this is the consumerization trend in action--as long as your security is up to snuff.

Charney's idea is to do that on a larger scale. To implement it we have to deal with two problems. There's the technical problem--making the quarantine work in the face of malware designed to evade it, and the social problem--ensuring that people don't have their computers unduly quarantined. Understanding the problems requires us to understand quarantines in general.

Quarantines have been used to contain disease for millennia. In general several things need to be true for them to work. One, the thing being quarantined needs to be easily recognized. It's easier to quarantine a disease if it has obvious physical characteristics: fever, boils, etc. If there aren't any obvious physical effects, or if those effects don't show up while the disease is contagious, a quarantine is much less effective.

Similarly, it's easier to quarantine an infected computer if that infection is detectable. As Charney points out, his plan is only effective against worms and viruses that our security products recognize, not against those that are new and still undetectable.

Two, the separation has to be effective. The leper colonies on Molokai and Spinalonga both worked because it was hard for the quarantined to leave. Quarantined medieval cities worked less well because it was too easy to leave, or--when the diseases spread via rats or mosquitoes--because the quarantine was targeted at the wrong thing.

Computer quarantines have been generally effective because the users whose computers are being quarantined aren't sophisticated enough to break out of the quarantine, and find it easier to update their software and rejoin the network legitimately.

Three, only a small section of the population must need to be quarantined. The solution works only if it's a minority of the population that's affected, either with physical diseases or computer diseases. If most people are infected, overall infection rates aren't going to be slowed much by quarantining. Similarly, a quarantine that tries to isolate most of the Internet simply won't work.

Fourth, the benefits must outweigh the costs. Medical quarantines are expensive to maintain, especially if people are being quarantined against their will. Determining who to quarantine is either expensive (if it's done correctly) or arbitrary, authoritative and abuse-prone (if it's done badly). It could even be both. The value to society must be worth it.

It's the last point that Charney and others emphasize. If Internet worms were only damaging to the infected, we wouldn't need a societally imposed quarantine like this. But they're damaging to everyone else on the Internet, spreading and infecting others. At the same time, we can implement systems that quarantine cheaply. The value to society far outweighs the cost.

That makes sense, but once you move quarantines from isolated private networks to the general Internet, the nature of the threat changes. Imagine an intelligent and malicious infectious disease: That's what malware is. The current crop of malware ignores quarantines; they're few and far enough between not to affect their effectiveness.

If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine. So instead of nontechnical users not bothering to break quarantines because they don't know how, we'd have technically sophisticated virus-writers trying to break quarantines. Implementing the quarantine at the ISP level would help, and if the ISP monitored computer behavior, not just specific virus signatures, it would be somewhat effective even in the face of evasion tactics. But evasion would be possible, and we'd be stuck in another computer security arms race. This isn't a reason to dismiss the proposal outright, but it is something we need to think about when weighing its potential effectiveness.

Additionally, there's the problem of who gets to decide which computers to quarantine. It's easy on a corporate or university network: the owners of the network get to decide. But the Internet doesn't have that sort of hierarchical control, and denying people access without due process is fraught with danger. What are the appeal mechanisms? The audit mechanisms? Charney proposes that ISPs administer the quarantines, but there would have to be some central authority that decided what degree of infection would be sufficient to impose the quarantine. Although this is being presented as a wholly technical solution, it's these social and political ramifications that are the most difficult to determine and the easiest to abuse.

Once we implement a mechanism for quarantining infected computers, we create the possibility of quarantining them in all sorts of other circumstances. Should we quarantine computers that don't have their patches up to date, even if they're uninfected? Might there be a legitimate reason for someone to avoid patching his computer? Should the government be able to quarantine someone for something he said in a chat room, or a series of search queries he made? I'm sure we don't think it should, but what if that chat and those queries revolved around terrorism? Where's the line?

Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software.The music and movie industry will want to quarantine anyone it decides is downloading or sharing pirated media files--they're already pushing similar proposals.

A security measure designed to keep malicious worms from spreading over the Internet can quickly become an enforcement tool for corporate business models. Charney addresses the need to limit this kind of function creep, but I don't think it will be easy to prevent; it's an enforcement mechanism just begging to be used.

Once you start thinking about implementation of quarantine, all sorts of other social issues emerge. What do we do about people who need the Internet? Maybe VoIP is their only phone service. Maybe they have an Internet-enabled medical device. Maybe their business requires the Internet to run. The effects of quarantining these people would be considerable, even potentially life-threatening. Again, where's the line?

What do we do if people feel they are quarantined unjustly? Or if they are using nonstandard software unfamiliar to the ISP? Is there an appeals process? Who administers it? Surely not a for-profit company.

Public health is the right way to look at this problem. This conversation--between the rights of the individual and the rights of society--is a valid one to have, and this solution is a good possibility to consider.

There are some applicable parallels. We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians. The small number of parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population. We all suffer when someone on the Internet allows his computer to get infected. How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having.

Anatomy Of An Attempted Malware Scam

I stumbled across this fascinating inside account of how cyber criminals infiltrate online advertising by Julia Casale-Amorim of Castle Media. Try not to get lost in the technical jargon of the advertising world and instead focus on the criminal's cleverness and level of effort.

The display media segment is the newest target of malvertising, the latest trend in online criminal methodology. The problem has escalated in recent months and despite many suppliers' best efforts, it continues to grow. The culprits behind many of these attacks are based in foreign states leaving little course to take action. While the best defense against malvertising is to prevent it from happening in the first place, this has proven to be a challenge for even the most astute publishers, networks and the like.

We were recently the targets of one such attempt, and while it certainly wasn't the first "fake agency" we've been besieged by (and that we've successfully stopped), it is one of the most organized efforts we've encountered so far. Below we've outlined the approach that was used and the findings of our investigation as an FYI to others who may be on the target list.

If there's anything we've learned since the practice of malvertising has surfaced (and has since proliferated), it's that you can't be too detailed with your client background checks and creative reviews. We've always been big on our screening procedures, and these days it's proving to be an increasingly valuable practice. Malvertising reflects negatively on the entire online media industry and the onus has to fall on us (suppliers) to put a stop to it. So, we want to share our learnings here for the greater community to hopefully benefit from.

Here is a breakdown of the approach used by the individuals behind our most recent malware experience, how we caught them, and the findings of our subsequent investigation. We've also highlighted some pink flags (and the ultimate red flag) that came up along the way, as well as our key takeaways from the experience including some of the steps we now have in place (and which you may want to consider implementing) to help us identify similar perpetrators sooner than later.

Initial contact, proposal and campaign review

The culprits approached us in early July representing themselves as an agency looking to place a campaign for both a big name charity and a travel client (we are omitting names to protect their brands from being associated with this scam. We have no reason to believe they were involved). Following our proposal phase, "Bellas," informed us that the big name charity was still "undergoing approval phase", but that their travel client had approved a test on our network and wanted to proceed.

(Pink flag: while not completely implausible, it is rare for an unknown agency to bring one or more large brands to the table, let alone doing so without first undergoing a formal RFI/RFP process.)

Despite the pink flag, we proceeded, and because we had never worked with this agency before, we began by processing their request for credit. Each of the references provided had professionally produced websites and unique phone numbers -- nothing at the surface level that would raise any suspicion. The bank reference was real (a real bank, that is) and the phone number provided worked. The information we requested was supplied to us in an official, expected manner. Nothing out of the ordinary here.

All three references we contacted provided prompt and friendly responses and each reported that they had been doing business with Bellas for anywhere between two years and six months at fairly respectable sums.

For added assurance, the "fake agency" supplied us with a PDF which was represented as an official document of incorporation.

With no glaring reason to deny, we approved their application for limited starter credit and proceeded to the next step, campaign setup.

Campaign Setup and QA

The campaign's goals were a little unusual for what we would typically consider to be a direct response advertiser:

We are really focused on reach and unique viewers optimizations. Thus tight frequency cap like 1/24 or 1/48 can work. CTR is secondary goal at this point. A lot of people don't know much about client services and we want to cover every single possible customer.

We logged their goals and rationale. We also noted them as a pink flag. The proprietors of these scams typically focus more on unique reach and frequency than on targeting, audience or optimization - a focus that, in general terms, is most unusual for the average online advertiser. Of course, in hindsight, their interest in unique reach stemmed from their desire to infect across the widest possible net.

On our initial request for creative, "Bellas" provided us with a set of third-party tags, which were rejected because they were not from one of our certified ad serving vendors.

We were then provided with raw creative files. While the creative were clean (i.e. no malicious code), there were some minor design flaws including missing borders and file sizes that exceed our standard maximums. We informed them of these issues and they responded:

We are currently run[ning] with AOL and Yahoo (including comscore 1-150 pubs) and they are cool.

Hum, really? AOL and Yahoo have some of the strictest ad specs around...(pink flag).

After some lengthy back and forth about the creative revisions...

We are not able to reduce creative size without sacrificing quality. If you cannot run creative size more than 20kb -- we can host. If not -- we wont be able to proceed with campaign.

"Bellas," at that point, requested that we run an impression tracking URL. The "OpenX" URL provided to us was flagged during our QA review, another pink flag; the formatting and characters were not consistent with the standard employed by OpenX. We informed Bellas that to use the URL we would need to perform a few modifications to make it consistent with the standard. We provided an example of the modified URL and then received the following responses:

I have contacted OpenX support to find out. Meanwhile I got another pixel for you. We have used it with our hosted campaigns and it worked wonders.

Client prefers Eyeblaster tracking URL (their ad server). Would be cool if you can implement. If not -- OpenX is perfectly fine.

Next, Bellas, informed us of the "response" they received from "OpenX support" and then supplied us with a new pixel to use.

"Hi Henry. Looks like Casale runs , which is NOSCRIPT part of the code, instead of JS pixel (script part), that affects reporting a bit and you cannot add any additional tracking code." Are you able to implement JS OpenX pixel or Eyeblaster pixel directly? Alternatively, we can provide tags.

After informing "Bellas" that we would forward the new pixel to our traffic team for evaluation, we received the following response...

Client have sent another pixel, from zedo.

Pink flag. So now we have a client who wanted to serve through OpenX, then Eyeblaster, and now Zedo? Really? We reviewed the Zedo tracking URL and asked for confirmation about a few details since it did not conform to the ad server's standard. They replied,

For JS pixel to work properly, you need to load is exactly like that ... Will work.

Red flag! The set of tags provided were imitation tags. We ended discussions with the client at this point since things were just not adding up, and launched a detailed investigation to confirm our suspicions.

During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed to be in operation since 1994, despite the fact that the domain was registered in April of this year.

In Summary

Entities like this are cunning and smart. Their scams are well thought through and executed. The best defence against them is rigorous proactive screening. You have to be really, really astute. Question everything. These guys know the industry lingo, procedures and have created a false environment designed specifically to validate their non-existence. Even the most insignificant detail can be a huge clue.

Our Lessons Learned and Advice for Others

Perform independent fact checking.
Don't take the information provided to you on bank/credit reference applications at face value. Perform a few spot checks to validate the sources. If, when we looked up the bank reference, we had cross referenced the phone number provided by Bellas with the numbers listed on the bank's website, we would have exposed a major crack in their armour upfront, which would have saved us a lot of wasted time and effort.

Research. Then research some more.
Make it SOP to do research on not only the agency in question, but the credit references provided to you. Search for them online, do a WHOIS lookup on the domains, ask around. Make certain that everything adds up. You can't be too cautious.

When the going gets tough...
If a client is difficult to work with, there's probably a reason for it. Standards exist for a reason. Any account that is operating outside the norms should register as an immediate red flag to you. Issues surrounding pixels, creative design, obsession over going live too quickly with no sound rational or justification...any of these examples should set alarm bells off in your head!
Be suspicious.

Perception is selective. It's natural for small details to escape us when we're not on guard or actively looking for something. It's also easy to get overly comfortable with the mechanics of a standard procedure. If you approach every new account with suspicion, you'll be far more aware of any detail that may seem out of place.

Don't assume. Question and verify.
Certify third party ad servers that you are willing to deliver through, and keep clear lines of communication open with them at all times. Store tag templates and use them in your QA/review process. If a tag deviates from the standard template that you typically see from a third party ad server, escalate to them for an opinion. Never assume that the template has changed, always question it.

Re-examine critical points in your new account process.
When an account is new, consider minimizing the involvement of your sales staff in the review and verification process. In some cases, a sales person's thirst for new revenue can hamper their nose for suspicious behavior.

Sunday, November 14, 2010

USAA Credential Phishing

Security company M86 blogs about a sophisticated phishing attack targeting members of the USAA. Would you have spotted this attack?

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion

Pentagon is debating cyber-attacks

Fascinating article by the Washington Post's Ellen Nakashima detailing the policy debate surrounding the use of offensive cyber warfare. Some interesting excerpts from the article include ...

Cyber Command's chief, Gen. Keith B. Alexander, who also heads the National Security Agency, wants sufficient maneuvering room for his new command to mount what he has called "the full spectrum" of operations in cyberspace.

Offensive actions could include shutting down part of an opponent's computer network to preempt a cyber-attack against a U.S. target or changing a line of code in an adversary's computer to render malicious software harmless. They are operations that destroy, disrupt or degrade targeted computers or networks.

But current and former officials say that senior policymakers and administration lawyers want to limit the military's offensive computer operations to war zones such as Afghanistan, in part because the CIA argues that covert operations outside the battle zone are its responsibility and the State Department is concerned about diplomatic backlash.

The administration debate is part of a larger effort to craft a coherent strategy to guide the government in defending the United States against attacks on computer and information systems that officials say could damage power grids, corrupt financial transactions or disable an Internet provider.

The effort is fraught because of the unpredictability of some cyber-operations. An action against a target in one country could unintentionally disrupt servers in another, as happened when a cyber-warfare unit under Alexander's command disabled a jihadist Web site in 2008. Policymakers are also struggling to delineate Cyber Command's role in defending critical domestic networks in a way that does not violate Americans' privacy.

Read the full article here.

Mapping Attacks Against Online Banks

From ...

Several readers have asked to be notified if the U.S. map showing recent victims of high-dollar online banking thefts was updated. Below is a (non-interactive) screen shot of the updated, interactive map that lives here. Click the red markers to see more detail about the victim at that location, including a link to a story about the attack.

Attack Severs Burma Internet

From Arbor Networks ....

Back in 2007, the Burmese government reportedly severed the country’s Internet links in a crackdown over growing political unrest.

Yesterday, Burma once again fell off the Internet. Over the last several days, a rapidly escalating, large-scale DDoS has targeted Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma / Myanmar government (preemptively disrupting Internet connectivity ahead of the November 7 general elections) to external attackers with still mysterious motives. The Myanmar Times reports the attack has been ongoing since October 25th (and adds the attack may impact Burma’s tourist industry).

We estimate the Burma DDoS between 10-15 Gbps (several hundred times more than enough to overwhelm the country’s 45 Mbps T3 terrestrial and satellite links). The DDoS includes dozens of individual attack components (e.g. TCP syn, rst flood) against multiple IP addresses within MPT’s address blocks (,, and The attack also appears fairly well-distributed — ATLAS data shows attack traffic across 20 or more providers with a broad range of source addresses.

While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks — especially ones targeting an entire country — remain rare with a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the country) also came under DDoS attacks.

At present I do not know the motives for this attack but our past DDoS analysis have observed the gamut from politically motivated DDoS, government censorship, extortion and stock manipulation. I’ll update this blog if I get more details.

US internet hosts are linchpin of criminal botnets

From the New Scientist ...

WHILE criminal gangs in Russia and China are responsible for much of the world's cybercrime, many of the servers vital to their activities are located elsewhere. An investigation commissioned by New Scientist has highlighted how facilities provided by internet companies in the US and Europe are crucial to these gangs' activities.

Researchers at Team Cymru, a non-profit internet security company based in Burr Ridge, Illinois, delved into the world of botnets - networks of computers that are infected with malicious software. Millions of machines can be infected, and their owners are rarely aware that their computers have been compromised or are being used to send spam or steal passwords.

Several botnets have been linked to gangs based in Russia, where police have a poor record on tackling the problem. But to manage their botnets these gangs often seem to prefer to use computers, known as command-and-control (C&C) servers, in western countries. More than 40 per cent of the 1500 or so web-based C&C servers Team Cymru has tracked this year were in the US. When it comes to hosting C&C servers, "the US is significantly ahead of anyone else", says Steve Santorelli, Team Cymru's director of global outreach in San Diego.

Santorelli and his colleagues also detected a daily average of 226 C&C servers in China and 92 in Russia. But European countries not usually linked with cybercrime were in a similar range, with an average of 120 C&C servers based in Germany and 64 in the Netherlands.

Internet hosts in western countries appeal to criminals for the same reasons that regular computer users like them, says Santorelli: the machines are extremely reliable and enjoy high-bandwidth connections. Team Cymru's research did not identify which companies are hosting botnet servers, but Santorelli says the list would include well-known service providers.

The use of US-based C&C servers to control botnets is a source of frustration to security specialists, who have long been aware of the problem. It is happening even though most hosting companies shut down C&C servers as soon as they receive details of botnet activity from law enforcement agencies and security firms. "When we see an AT&T address serving as a botnet control point, we take it very seriously," says Michael Singer, an executive director at AT&T.

Despite these efforts, the criminals can quickly re-establish control by setting up a new C&C server with a different company, often using falsified registration information and stolen credit card details.

Hosting companies deal with botnets on a voluntary basis at present. They might be more vigilant if required to act by law, but that would create its own regulatory problems, Santorelli says. "The cops don't run or govern the internet after all, and neither do they want to," he says. For legal controls to work, it would be necessary to define who has the authority to decide whether a server is part of a botnet, and how requests from authorities abroad are dealt with.

Jeffrey Carr of security firm Taia Global, based in Washington DC, says that some less well-known providers have been warned about botnet activity on many occasions, but drag their heels when asked to shut down the criminals' servers.

The problem arises partly because web hosting can be a big earner for some firms. "They're generating millions of dollars in income," says Carr. Improvements in security, such as requiring service providers to verify the details of people who rent server facilities, could well hurt these firms' bottom line.

Nobel Peace Prize, Amnesty HK and Malware

From Nart Villeneuve at SecDev.cyber ...

There have been two recent attacks involving human rights and malware. First, on November 7, 2010, posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in Adobe Reader/Acrobat. The Committee to Protect Journalists was hit by the same attack.

On November 10, 2010 Websense reported that website of Amnesty Hong Kong was compromised and was delivering an Internet Explorer 0day exploit (CVE-2010-3962) to visitors. In addition, Websense reports that the same malicious server was serving three additional exploits: a Flash exploit (CVE-2010-2884), a QuickTime exploit (CVE-2010-1799) and a Shockwave exploit (CVE-2010-3653).

The malicious domain name hosting the exploits ( has been serving malware since Sept. 2010. The domain was registered in May 2010 to was formerly hosted on which now hosts the Zhejiang University Alumni Association website.

The malware dropped from the Internet Explorer exploit (CVE-2010-3962)
MD5: ca80564d93fbe6327ba6b094ae3c0445 VT: 2 /43

The malware dropped from the Flash exploit (CVE-2010-2884)
MD5: 0da04df8166e2c492e444e88ab052e9c VT: 2 /43

The malware dropped from the QuickTime exploit (CVE-2010-1799)
MD5: 3e54f1d3d56d3dbbfe6554547a99e97e VT: 16 /43

The malware dropped from the Shockwave exploit (CVE-2010-3653)
MD5: 3a459ff98f070828059e415047e8d58c VT: 0/43

Both ca80564d93fbe6327ba6b094ae3c0445 and 3a459ff98f070828059e415047e8d58c perform a DNS lookup for, which is an alias for which resolves to (China Unicom Beijing province network).

The domain name “” has been associated with a variety of malware going back to May 2010. This domain name, is registered to, the developer of the NetThief RAT.

Malware attacks leveraging human rights issues are not new. I have been documenting them for some time (see, Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, “0day”: Civil Society and Cyber Security). However, one of the issues that Greg Walton and I raised last year, is a trend toward using the real web sites of human rights organizations compromised and as vehicles to deliver 0day exploits to the visitors of the sites – many of whom may be staff and supporters of the specific organization. Unfortunately, we can expect this to continue.

Monday, November 8, 2010

Google Hacking SCADA

Interesting Tweet from Ruben Santamarta at

It's not a good idea to expose a SCADA Control Center of Wind Turbines in a public subdomain

Basically, Ruben found the login page to an Industrial Control System ... ouch!

You can follow Ruben on Twitter here @reversemode

Metasploit and SCADA exploits: dawn of a new era?

Courtesy Shawn Merdinger

On 18 October, 2010 a significant event occurred concerning threats to SCADA (supervisory control and data acquisition) environments.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository. Here are some striking facts about this event:

  • This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.
  • This exploit was not added to the public Exploit-DB site until 27 October, 2011.
  • The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.
  • This is the first SCADA exploit added to Metasploit.
  • So what are the lessons learned and takeaways from this seminal event?

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Personally, I expect we will see in the next 12 months at least a doubling of the known 16 SCADA vulnerabilities documented in NIST’s National Vulnerability Database.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

I expect SCADA security issues will be the shiny hot topic on the 2011 security and hacker conference circuit, both in the US and abroad.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

And it is worth mentioning that a vendor acknowledging a product security issue is then“on the hook” — so there is incentive for the vendor to dismiss the vulnerability report.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

For a kinetic metaphor, Metasploit is akin to a.50 caliber sniper rifle, and a zero-day SCADA vulnerability is equivalent to a .50 caliber depleted uranium round for that rifle.

As a SCADA end user, what are you to do?

I recommend the following, at a minimum: push your vendors to have a product security POC and process, monitor resources like SCADASEC, keep current with tools like Metasploit, receive vulnerability notifications from appropriate CERT organizations like ICS-CERT.

Sunday, October 31, 2010

Avalanche Gang: The Ultimate Bank Robbers?

From ZDNet ...

This time last year it was being reported that the Avalanche Gang was responsible for around a two thirds of all phishing attacks on the Internet. But Avalanche, described at the time as being "one of the most sophisticated and damaging on the Internet" by the Anti-Phishing Working Group (APWG) was only responsible for a paltry four conventional phishing attacks during the month of July 2010. Which you might think is good news, and it would be were it not for the fact that the Avalanche Gang has not hung up its spurs and given up cyber crime.

At the tail end of last year ZDNet UK reported that the Avalanche Gang, named after the botnet it employs, was collaborating with the people behind the Zeus botnet. Back then, in December 2009, Vincent Hanna who was employed as an investigator for the Spamhaus Project told ZDNet UK that the gangs behind Avalanche and Zeus were using each other's infrastructure on a purely commercial basis: "We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware."

Fast forward to now, and it looks like the Avalanche Gang has completed its transition from conventional phishing and spam outfit to the world's biggest bank robbers. According to the latest APWG research, Avalanche has "moved from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials."

The Avalanche Gang has been slowly ramping up a concerted campaign of crimeware propagation in order to con victims into getting infected by Zeus. Well, I say slowly, but everything is relative: according to the APWG research Avalanche has been sending billions of faked messages from tax authorities, false alerts/updates purporting to be from popular social networking sites, and other scams designed to deliver marks to drive-by download sites.

I have heard nothing to suggest that there is any evidence that Operation Trident Breach, an international effort involving the FBI and the Metropolitan Police as well as other law enforcement agencies around the world and which has so far led to the arrest of 150 people involved with the Zeus operation, has actually led to any arrests of Avalanche Gang members.

As Rod Rasmussen, co-author of the APWG research report, says: "Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing." With Zeus being responsible for hundreds of millions of pounds worth of theft to date, and no Avalanche arrests making the headlines, that would make the Avalanche Gang the most successful bank robbers in history.

China Has Ability to Hijack U.S. Military Data, Report Says

From Jeff Bliss and Tony Capaccio at Bloomberg ...

China in the past year demonstrated it can direct Internet traffic, giving the nation the capability to exploit “hijacked” data from the U.S. military and other sources, according to a new report.

Recent actions raise questions that “China might seek intentionally to leverage these abilities to assert some level of control over the Internet,” according to excerpts from the final draft of an annual report by the U.S.-China Economic and Security Review Commission. “Any attempt to do this would likely be counter to the interests of the United States and other countries.”

On April 8, China Telecom Corp., the nation’s third-largest mobile-phone company, instructed U.S. and other foreign-based Internet servers to route traffic to Chinese servers, the report said. The 18-minute re-routing included traffic from the U.S. military, the Senate and the office of Defense Secretary Robert Gates.

“Although the commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications,” the report said. The re-routing showed how data could be stolen and communications with websites could be disrupted, the report said.

Read more here ...


From the MacRumors forum ...

When you iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

My iPhone is jailbroken so that could be causing it. Can anyone confirm that it works on non-jailbroken iPhones?
Check out a video demo

Bug no iOS 4.1 from Salomão Filho on Vimeo.

stuxnet: targeting the iranian enrichment centrifuges in Natanz?

From Frank Rieger's blog ...

I did a writeup of the stuxnet story so far for the large german newspaper Frankfurter Allgemeine Zeitung (FAZ), out in print today (now also online here ). Unfortunatelly the page-one teaser image chosen by the frontpage editor is outright silly, and the picture chosen by the FAZ for the main piece is the reactor in Bushehr, as the facility in Natanz is optically less attractive. But, hey, the story is what counts. I want to comment on some of the more detailed aspects here, that were not fit for the more general audience of the FAZ, and also outline my reasoning, why I think stuxnet might have been targeted at the uranium centrifuges in Natanz, instead of Bushehr as guessed by others.

stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossile Windows 2000 to the most modern and supposedly secure Windows 7.

The stuxnet software is exceptionally well written, it makes very very sure that nothing crashes, no outward signs of the infection can be seen and, above all, it makes pretty sure that its final payload, which manipulates parameters and code in the SPS computer is only executed if it is very certain to be on the right system. In other words: it is extremly targeted and constructed and build to be as side-effect free as humanly possible. Words used by reverse engineers working on the the thing are “After 10 years of reverse-engineering malware daily, I have never ever seen anything that comes even close to this”, and from another “This is what nation states build, if their only other option would be to go to war”.

Industrial control systems, also called SCADA, are very specific for each factory. They consist of many little nodes, measuring temperature, pressure, flow of fluids or gas, they control valves, motors, whatever is needed to keep the often dangerous industrial processes within their safety and effectiveness limits. So both the hardware module configuration and the software are custom made for each factory. For stuxnet they look like an fingerprint. Only if the right configuration is identified, it does more then just spreading itself. This tells us one crucial thing: the attacker knew very precisely the target configuration. He must have had insider support or otherwise access to the software and configuration of the targeted facility.

I will not dive very much into who may be the author of stuxnet. It is clear that it has been a team effort, that a very well trained and financed team with lots of experience was needed, and that the ressources needed to be alocated to buy or find the vulnerabilities and develop them into the kind of exceptional zero-days used in the exploit. This is a game for nation state-sized entities, only two handful of governments and maybe as many very large corporate entities could manage and sustain such an effort to the achievment level needed to build stuxnet. As to whom of the capable candidates if could be: this is a trip into the Wilderness of Mirrors. False hints are most likely placed all over the place, so it does not make much sense to put much time into this exercise for me.

Regarding the target, things are more interesting. There is currently a lot of speculation that the Iranian reactor at Bushehr may have been the target. I seriouly doubt that, as the reactor will for political reasons only go on-line when Russia wants it to go on-line, which they drag on for many years now, to the frustration of Iran. The political calculations behind this game are complex and involve many things like the situation in Iraq, the US withdrawal plans and Russias unwillingness to let the US actually have free military and political bandwith to cause them trouble in their near abroad.

But there is another theory that fits the available date much better: stuxnet may have been targeted at the centrifuges at the uranium enrichment plant in Natanz. The chain of published indications supporting the theory starts with stuxnet itself. According to people working on the stuxnet-analysis, it was meant to stop spreading in January 2009. Given the multi-stage nature of stuxnet, the attacker must have assumed that it has reached its target by then, ready to strike.

Read more here ...

Indian OS

From Bruce Schneier ...

India is writing its own operating system so it doesn't have to rely on Western technology:

India's Defence Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won't have to rely on Western operating systems that it thinks aren't up to the job of thwarting cyber attacks. The DRDO specifically wants to design and develop its own OS that is hack-proof to prevent sensitive data from being stolen.

On the one hand, this is great. We could use more competition in the OS market -- as more and more applications move into the cloud and are only accessed via an Internet browser, OS compatible matters less and less -- and an OS that brands itself as "more secure" can only help. But this security by obscurity thinking just isn't true:

"The only way to protect it is to have a home-grown system, the complete architecture ... source code is with you and then nobody knows what's that," he added.

The only way to protect it is to design and implement it securely. Keeping control of your source code didn't magically make Windows secure, and it won't make this Indian OS secure.

The militarization of the Internet

Interesting thoughts on the militarization of the Internet from Susan Crawford ...

Someone needs to take a good hard look at those Internet surveillance stories being strategically placed on the front page of the New York Times.

There’s a trail here, I believe, that’s worth following. Here are some data points:

1. Cyberattack - there appears to be a deep interest in the ability to declare war online, as evidenced by cybersecurity research and public speeches by Herbert Lin, a key player who has worked on several cybersecurity reports for the National Research Council. Ethan Zuckerman has summarized a presentation by Lin, which included the following paraphrase of Lin’s remarks:

If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress. . . .

Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?

2. A “more authenticated Internet” would obviously include using the leverage provided by network operators to permit only fully-authorized, identified machines to connect. The ability to remotely disconnect machines or devices until they are cleansed is now within reach for federal networks - this same capability will inevitably spread to private connections.

3. A “more authenticated Internet” would also include more-easily tappable applications as well as machines. That’s what FBI Director Mueller is talking about in this video at 3:29.

4. There must be deep stress inside the USG re what the overall public position of the Administration will be on enhancing surveillance, authentication, and the ability to declare war online. Secretary Clinton’s “Internet Freedom” speech of January 2010 made clear that the free flow of information online is an important component of the nation’s foreign policy.

5. Given this stress, the agencies that are most interested in forwarding cyberattack abilities, surveillance, guaranteed back doors for encrypted communications, and all the other trappings of a “more authenticated Internet” have an interest in portraying their vision of the future Internet as inevitable. Part of that campaign would logically be to get the story into the mainstream media.

6. So, here we go - another front-page story yesterday in The Times: “Officials Push to Bolster Law on Wiretapping.” This is a hugely contentious issue. Should law enforcement be able to require all technologies online to have “back doors” allowing officials to (essentially) require that the same information be produced to them that was produced during the circuit-switched telephone era?
7. The Internet is not the same thing as a telephone network. It’s a decentralized agreement to route packets of information to particular addresses. It has made possible unparalleled innovation, free speech, and improvements to human lives around the world. Retrofitting it to make it fit law enforcement’s (or national security’s) “authentication” needs would be an enormous, retrograde step.
But it would certainly help us wage war online.

Bredolab botnet shut down

From F-Secure ...

The Dutch National Crime Squad has announced a major takedown. The people behind the botnet have not been caught, but the servers (hosted in LeaseWeb IP space) have been taken over, effectively shutting down the botnet.

Bredolab is a large family of complicated, polymorphic trojans. They have been distributed via drive-by-downloads and email. Bredolab is known to be connected to email spam campaigns and rogue security products. And the size of the botnet was massive: over 30 million infected computers and close to 150 command & control servers.

Interestingly, the crime squad has announced that they will be sending a warning to infected PCs: "Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection."

So they will probably use the existing botnet infrastructure to send a program to all infected machines, showing them a warning.

This is rarely done because running code on somebody else's computer might be seen as "unauthorized use", possibly making it illegal - although the intentions are obviously good.

Here's a video with more information (Severe warning! It is in Dutch).

Updated to add: The Dutch police is redirecting Bredolab-infected computers to this help page.

Updated to add: A 27-year old man has been arrested in Armenia. He is under investigation for being one of the operators behind Bredolab.

Thursday, October 28, 2010

When You Think You Surf Anonymously But You Don’t

From Roman Huessy at ...

Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network.

Roman continues,

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5’000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

You don’t know who run these proxies
You don’t know if these proxies are secure and clean from any malware and drive-bys
You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)
Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

Ministry of Foreign Affairs
Ministry of Finance
Ministry of Economy
Ministry of Statistics
Ministry of Administration and Interior
Ministry of Industry
Ministry of Interior and Justice
Ministry of Labour and Social Policy
Ministry of Social Development
Department of Defense
Department of Atomic Energy
Department of Health
Department of Science and Technology
Department of Home Affairs
Department of Water Affairs and Forestry
Department of Environment and Conservation
National Labratory
National Police Service
Residence of the President
Atomic Energy Comission
Centre for Atomic Research
State police
National Telecommunications Commission
Supervision and Administration Commission
State-owned news agency
Various Military Test- and Command Centres around the globe
Various networks which are just named as “Government of xxxx”

And Roman hammers his point home,

As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

  • Glype- (and other script based proxies) aren’t really anonymous
  • You don’t know who runs these proxies
  • Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
  • But there are many users from governmental and military organizations using those proxies too
  • In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
  • Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
  • If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?

Transatlantic Views of Privacy

From Cecilia Kang at the Washington Post ...

The federal government has ended an inquiry into a privacy breach involving Google's Street View service, satisfied with the company's pledge to stop gathering e-mail, passwords and other information from residential WiFi networks as it rolls through neighborhoods.

Wednesday's decision by the Federal Trade Commission is a sharp contrast with the reaction of regulators in Europe. The United Kingdom has launched a new investigation into Google's collection of unencrypted WiFi data, exposing the company to potential fines. Germany told Google to mark its Street View cars that take pictures of neighborhoods and homes. The Czech Republic banned Google from expanding its mapping software program.

The differences highlight an increasing gap between regulators in the United States, where the freewheeling Internet culture has birthed many of the social networking sites and search engines used worldwide, and governments in Europe and Canada, which tend to be much more aggressive about privacy.

"Part of it is cultural, and part of it is that the U.S. and Europe have radically different privacy regimes," said Chris Calabrese, legislative counsel for the ACLU. "The European model is extensive data protection in private information, and the U.S. model is piecemeal."

This piece provides an interesting insight into how EU regulators approach privacy regulations - an approach that contrasts with how US regulators view privacy.

Wednesday, October 27, 2010

Good news, of a kind, from a dark world

From Josephn Menn at BoingBoing ...

As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.

On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.

Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.

To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Before he finished his assignment, the man's teenage daughter was kidnapped from her Western country, and the investigator got a message that if he dropped the case, the rest of his children might be okay.

That was five years ago. I had to leave the story hanging in the book because there had been no closure. A couple of weeks ago, the man got a new message. His daughter was in Kazakhstan, and he could have her back as long as he agreed not to look into certain of the gang's activities. One factor in the change of heart was the additional attention that Fatal System Error brought to the mob. The family has been reunited, though the young woman is not the same as she was. She was fed drugs and used to service men. A grim story, but at least it has an ending now, and I wanted to update those who knew the first part.

There are many reasons why cybercrime is as bad as it is, and getting much worse. One of them is lack of awareness of how dangerous and well-connected the gangs are. The most serious identity thieves and fraudsters are not isolated teenage script kiddies. They are mobsters who kill people, and worse, though those stories are seldom told. Folks need to know just how bad they are, every bit as much as they need to know the stories of the heroes who are risking their lives to stop them.

For those interested I strongly recommend you read Menn's book Fatal System Error.

Tuesday, October 26, 2010

Firesheep: who is eating my cookies?

We talked a bit about FireSheep yesterday in class. PandaLabs provides a good write-up on it here ...

PandLabs also points out a handy tool to protect yourselves from these attacks. They write,
Don’t panic. Yes, this is bad, but there are some countermeasures to take. The best solution would be to use SSL encryption in all communications, but this has to be supported in the server side, so that won’t be happening (at least massively) anytime soon. Meanwhile, you should use HTTPS Everywhere, which will force to use https when connecting to some mayor websites, such as Twitter or Facebook:

You can get HTTPS-EVERYWHERE from the EFF. They are a very, very reputable organization and I strongly recommend that you install this plug-in.

NOTE: This plug-in may still be vulnerable to Moxie Marlinspike's SSL-Strip attack but I have yet to verify that.

Special thanks to your classmate Sean for pointing out HTTPS-Everywhere. Good work Sean!

Monday, October 25, 2010

"Deleted" Facebook photos still not deleted: a followup

Via Jacqui Cheng at Ars Technica

Facebook may be making strides in some areas of privacy, but the company is still struggling when it comes to deleting user photos—or not deleting them, as the case may be.

We wrote a piece more than a year ago examining whether photos really disappear from social network servers when you delete them, and found that Facebook was one of the worst offenders when it came to leaving "deleted" photos online. We decided to revisit the issue recently when readers continued to point out that our deleted photos from that article were still online more than 16 months later. Indeed, this old photo of me remains on Facebook's content delivery network (CDN) servers, despite being deleted on May 21, 2009

Read more here.

Privacy and the Internet

Courtesy of Flowing Data ...

Is this an overstatement?

Sunday, October 24, 2010

Independent Myanmar Publication Claims Cyberattack

From the New York Times ...

BANGKOK — The Web site of The Irrawaddy, a magazine based in Thailand that is a leading source of news and criticism of the junta in Myanmar, has come under attack and been blocked by hackers, its editor, Aung Zaw, said on Monday.

The “distributed denial of service” attack just after midnight was similar but more sophisticated than an attack that forced the temporary closing of the site two years ago. Mr. Aung Zaw said it was not clear whether the attack came from inside Myanmar or from China, a close ally. Visitors to the Web site,, have been redirected to a mirror site while technicians seek to restore it.

“This is a new game, a new frontier” in the government’s struggle against its opponents, Mr. Aung Zaw said. “It shows how vulnerable we are.”

M&A in the Underground Economy

From Krebs on Security ...

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

The rest of this post does an excellent job of describing the competitive dynamics in the underground marketplace. Read more here.

Monday, October 4, 2010

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

From Krebs on Security,

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week

New Clues Point to Israel as Author of Blockbuster Worm, Or Not

From Wired's Threat Level Blog,

New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.

Read more here

Some Android apps caught covertly sending GPS data to advertisers

From Ars Technica,

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy

Read More here.

Wednesday, September 29, 2010

FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts

From Wired Magazine via the New York Times,

The FBI now wants to require all encrypted communications systems to have back doors for surveillance, according to a New York Times report, and to the nation’s top crypto experts it sounds like a battle they’ve fought before.

Back in the 1990s, in what’s remembered as the crypto wars, the FBI and NSA argued that national security would be endangered if they did not have a way to spy on encrypted e-mails, IMs and phone calls. After a long protracted battle, the security community prevailed after mustering detailed technical studies and research that concluded that national security was actually strengthened by wide use of encryption to secure computers and sensitive business and government communications.

Now the FBI is proposing a similar requirement that would require online service providers, perhaps even software makers, to only offer encrypted communication unless the companies have a way to unlock the communications.

In the New York Times story that unveiled the drive, the FBI cited a case where a mobster was using encrypted communication, and the FBI had to sneak into his office to plant a bug. One of the named problems was RIM, the maker of BlackBerrys, which provides encrypted e-mail communications for companies and governments, and which has come under pressure from India and the United Arab Emirates to locate its severs in its countries.

According to the proposal, any company doing business in the States could not create an encrypted communication system without having a way for the government to order the company to decrypt it, and those who currently do offer that service would have to re-tool it. It’s the equivalent of outlawing whispering in real life.

Read the full article here.

Sunday, September 26, 2010

DDOS Botnets in Action

The Shadowserver Foundation is an all volunteer group of security researchers that monitor and report on online malicious activity. They occasionally blog about some of there more interesting findings. A found a recent post about DDOS botnets particularly interesting.

One of the uses of botnets that I find particularly interesting are Distributed Denial of Service(DDoS) attacks. I spend a fair amount of time tracking the various botnet related attacks that Shadowserver sees, especially when the list of victims is of fairly high profile. I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This groups uses the BlackEnergy botnet to carry out its attacks.

The rest of the post can be found here.

Saturday, September 25, 2010

ATM Skimmers in Action

From Wired Magazine,

Authorities in Europe have seized a nice video recorded by a group of carders showing the criminals installing a skimming device and hidden camera at an ATM in the United Kingdom to steal customer PINs. Filmed from the hidden pinhole camera itself, installed above the ATM, the video shows how easy it is to capture the PINs as customers enter them on the keypad. But a few wily customers, who are wise to the carders’ tricks, manage to thwart their scheme by shielding the keypad as they type in their number.

Google's Eric Schmidt on Privacy

The Colbert ReportMon - Thurs 11:30pm / 10:30c
Eric Schmidt
Colbert Report Full Episodes2010 ElectionFox News

Microsoft Seeks Privacy Law to Aid Cloud Computing


Microsoft Corp. is urging an overhaul of U.S. laws for electronic privacy to help new services such as cloud computing, a technology that may double sales in five years.
As more data are stored on remote servers and away from personal computers, a 1986 digital law needs to be updated to give consumers confidence their information is protected, Brad Smith, Microsoft’s general counsel, said yesterday at a Senate Judiciary Committee hearing in Washington

Read more here

Monday, May 17, 2010

UPDATE: There seem to be some questions about the safety and reliability of this tool. When I have some free time I am going to conduct a behavioral analysis to vet the tool. Please refrain from using it until its been validated as safe.

I just discovered an interesting new site,, which according to the site admins is designed "to promote privacy awareness on Facebook and elsewhere."

The site works by "scanning your Facebook privacy settings" and warning you "about settings that might be unexpectedly public."

hat tip to Drew Conway (@drewconway)

Saturday, May 15, 2010

Facebook Backlash

Seems that im not the only one interested in deleting their Facebook account. This graph from Google Insights details a spike in the number of internet searches for "delete facebook."

Also, Google Suggest indicates that lots of folks are querying "how do I delete my facebook account."

Thursday, May 13, 2010

Farewell to Facebook

when I have some spare time ill provide more thoughts on this.

Tuesday, April 27, 2010

Sens. press Facebook on giving data to advertisers

From the Washington Post's Cecila Kang,
Sens. Charles Schumer (D-NY), Michael F. Bennet (D-Colo.), and Al Franken (D-Minn.) plan to send a letter today to Facebook, urging the social networking giant to change the way it gives user data to third-party advertisers.

Last week, changes at Facebook made data from its users available to third parties unless a user opted out, the lawmakers said. That means, they said, the default for most users is for private information to be available to advertisers and other third parties.

"Social networking sites are a Wild West of the Internet; users need ability to control private information and fully understand how it's being used," the lawmakers wrote in a news release. They will hold a news conference at noon Tuesday and release a letter they will send to Facebook asking for changes to the site's privacy policies.
As we discussed yesterday, Facebook has again appeared to increase its sharing of its users data with third parties. Over the past two years Facebook has pushed more of its users data into the open. First with the infamous News Feed, then with Beacon program, followed by its recent redefinition of publicly available information which allowed for Google to crawl Facebook, and now with this new program that shares data with a growing list of third party providers.

We discussed repeatedly in class that privacy is properly defined as the ability to control how your data is used. It seems clear that Facebook is pushing the limits of its users privacy by removing an individual users ability to control how his or her personal information is shared with and used by third parties. Sadly, Facebook could avoid many of its impending perception and potential legal problems if they simply adopted an opt-in policy instead of forcing user data into the public domain and only allowing users to opt-in after it may be too late.