Tuesday, April 27, 2010

Sens. press Facebook on giving data to advertisers

From the Washington Post's Cecila Kang,
Sens. Charles Schumer (D-NY), Michael F. Bennet (D-Colo.), and Al Franken (D-Minn.) plan to send a letter today to Facebook, urging the social networking giant to change the way it gives user data to third-party advertisers.

Last week, changes at Facebook made data from its users available to third parties unless a user opted out, the lawmakers said. That means, they said, the default for most users is for private information to be available to advertisers and other third parties.

"Social networking sites are a Wild West of the Internet; users need ability to control private information and fully understand how it's being used," the lawmakers wrote in a news release. They will hold a news conference at noon Tuesday and release a letter they will send to Facebook asking for changes to the site's privacy policies.
As we discussed yesterday, Facebook has again appeared to increase its sharing of its users data with third parties. Over the past two years Facebook has pushed more of its users data into the open. First with the infamous News Feed, then with Beacon program, followed by its recent redefinition of publicly available information which allowed for Google to crawl Facebook, and now with this new program that shares data with a growing list of third party providers.

We discussed repeatedly in class that privacy is properly defined as the ability to control how your data is used. It seems clear that Facebook is pushing the limits of its users privacy by removing an individual users ability to control how his or her personal information is shared with and used by third parties. Sadly, Facebook could avoid many of its impending perception and potential legal problems if they simply adopted an opt-in policy instead of forcing user data into the public domain and only allowing users to opt-in after it may be too late.

Monday, April 26, 2010

Charting Cybercrime

Brian Krebs pointed me to this Google mashup created by Aaron Jacobson of Authentify. It uses media reports to chart online banking heists. As you can see the damage has been widespread and costly. Krebs provides his thoughts on the mashup here.

View Cybertheft Victims in a larger map

Sunday, April 25, 2010

Rebutting Cyberwar Rhetoric

While we have spent a good deal of time this semester discussing various ways nation-states and non-state actors can use the Internet to achieve political and financial goals, it is important to listen to those voices that rebut the overheated Cyberwar! rhetoric that ricochets around the DC beltway. One of the principal critics of the cyberwar drumbeat are the folks over at Wired Magazine's Threat Level blog. In a recent post Wired's Ryan Singel provides an incisive critique of former national security council member Richard Clarke's new book Cyberwar.

Singel writes,
Readers of Richard Clarke’s new book Cyberwar who want to jump to the steamy parts should start at page 64 in the chapter “Cyber Warriors.” It’s there you’ll find the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse.

Chinese hackers take down the Pentagon’s classified and unclassified networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data — including offsite backups — held by the federal reserve and major banks, then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

That electronic Judgment Day is not the stuff of bad movies or sci-fi novels, according to Clarke, who writes, “A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes.”

That’s right. In less time than it takes to download Live Free or Die Hard, foreign hackers could make it real.
Singel continues,
It’s not just Clarke’s 15-minutes-to-doomsday scenario that stretches credulity. Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories. In his world, the Slammer worm was partially responsible for the Northeast blackout of 2003 — the Energy Department concluded otherwise. A power outage in Brazil is similarly attributed to a hacker, when the real-life evidence points to sooty insulators. Clarke describes the Russian denial-of-service attacks against Estonian servers in 2007 as the “largest ever seen” (not even close). He claims that foreign hackers stole the plans to the F-35 Joint Strike Fighter fighter, when they actually nabbed unclassified information on the plane’s self-diagnostic system.

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.
Singel notes,
Clarke’s prescriptions are manyfold. First, the nation’s backbone carriers — the ones with fiber optic networks crisscrossing the country — should be required to inspect all packets, and delete the ones that match known signatures of viruses and other malware. While that might seem like a fine idea, the security industry is already moving away from signature-based strategies, since malware-makers have taken to testing their payloads against anti-virus software before deploying it.

ISPs already have the ability, and the legal right, to filter out known bad packets, but requiring it — as Clarke would do — would not only be ineffective, but it would inevitably lead to other demands to filter content, first child pornography, then perceived copyright violations, and finally unwanted speech of all sorts. Clarke fails to consider the contents of the Pandora’s box he seeks to open.

More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government’s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn’t as effective for your energy company, which likely has no real competition.

So, even if you don’t accept Clarke’s doomsday predictions, there’s a good case to be made that the feds ought to have strong rules governing these systems, and, as he suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis.
Singel concludes,
The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.
Check out the full article here.

Friday, April 23, 2010

CBS Report on Cybersecurity

This report from CBS News is a good brief overview of how the lack of international cooperation on cyber security represents a threat to US national security.

The video also shows something that all of us should already know - Mudge is the man.

Thursday, April 22, 2010

Google Shines Light on Government Requests

Google has launched a new service designed to inform its users about which governments request the removal of content and data about Google users. According to Google, "we regularly receive requests from government agencies around the world to remove content from our services, or provide information about users of our services and products. The map shows the number of requests that we received between July 1, 2009 and December 31, 2009, with certain limitations. We know these numbers are imperfect and may not provide a complete picture of these government requests. For example, a single request may ask for the removal of more than one URL or for the disclosure of information for multiple users. See the FAQ for more information."

Check out the service here.

Friday, April 16, 2010

Military asserts right to return cyber attacks

Fascinating read from the AP Wire ...
The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.

Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.
The article continues,
U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges.

Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.

It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.

In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.

But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.
The article concludes,
Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."
Read the full article here.

Almost all Fortune 500 companies show Zeus botnet activity

From Ars Technica ...
Up to 88% of Fortune 500 companies may have been affected by the Zeus trojan, according to research by RSA's FraudAction Anti-Trojan division, part of EMC. The trojan installs keystroke loggers to steal login credentials to banking, social networking, and e-mail accounts.

The botnet was first identified in 2007 and is still around today. The malware tends to be difficult to detect and remove, and several million machines worldwide are believed to be infected. The Zeus server-side components, used to collect the stolen data, surprisingly mimic techniques more commonly seen in the world of commercial software; the software is licensed (with fees ranging from several hundred to a few thousand dollars), and each installation is tied to the hardware it's installed on in a system reminiscent of Microsoft's software activation. The malware itself predominantly attacks Windows XP machines, though Windows Vista and Windows 7 variants are available for sale too.
Read the full article here.

Security Incidents Rise In Industrial Control Systems

From Dark Reading ...
While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

As weve discussed in class the ability to attack the critical infrastructure systems that control oil & gas, water, and power is the bridge between cyber warfare and physical warfare. An successful attack on these systems would surely harm our economy and possibly impede our ability to wage war.

Read the full article here.

Monday, April 12, 2010


I just stumbled across stormtroopers365.com aka the greatest photo blog on the Internet. The author took pictures of his Star Wars action figures every day for one year. Ive posted one of my favorite photographs below.

This has no relevance to class whatsoever. People my age think Star Wars is cool. Im old.

Iowa bank compromised, serving exploits

From Sunbelt Software's blog ...

Northwestern Bank Online, a bank in Iowa, was compromised.

On Friday April 9th, engineers from Sunbelt noticed that the Northwestern Bank Online site was redirecting to an exploit pack with infected vulnerable users.

Further investigation by Dancho Danchev revealed that this exploit dropped the Zeus banking trojan onto vulnerable victims machines. Zeus is a particularly nasty piece of malware. Kevin Stevens and Don Jackson from SecureWorks provide an excellent write-up on Zeus here. You can also track live Zeus infections here at the Zeus Tracker.

Sunday, April 11, 2010

Investigating a Phishing Attack

A former student noticed this strange email sent to a Georgetown University mailing address on Friday April 9, 2010. My former student noticed immediately that the email's return address was not in the Georgetown.edu domain and was instead warningalertweb@ymail.com. Ymail.com is a Yahoo! email address. Further, the email requested students reply with their university userid and passwords. Clearly this was a phishing attempt. I trust that all current and former students of this class would have immediately recognized this email scam.

As I had some spare time this weekend, I decided to investigate this amateurish attempt to steal personal information from the student body. This first thing I did was examine the headers of the email. From the GMail web client you can view the headers by clicking on the down arrow immediately to the right of the reply icon and selecting show original.

An examination of the headers revealed that the email originated from a server in South Korea with the IP address Further, it appears the spammers utilized a hacked email account belonging to a real estate agent in Roseburg, Oregon.

According to Project Honeypot, the South Korean server has previously been used by spam harvesters and comment spammers.

While satisfied that I understood how the spammers executed their fraud, I still wanted to know more about the individual(s) attempting to steal personal information from the student body. So, I decided to respond to their phishing attempt with one of my own. I setup a fake email account and responded to the phishing attempt with phony information. I embedded my phony reply with web bugs and links back a blog that I established to act as a honeypot.

My plan was simple. The scammer would open my response email thinking that they had stolen data from an unwitting victim. As they opened my email, the web bugs would beacon back to my blog giving me the hackers IP address. Alternatively, the attacker would be dumb enough to click on the embedded links to my phony blog. In this case, it appears the hacker was dumb enough to click on the links back to the fake blog. This action revealed that the hacker was retrieving the stolen information via a computer in Hyderabad, India. It is possible that the attacker was using a proxy to retrieve his stolen data, but the fact that he clicked on the blog link in my phony email doesnt give me much confidence that this clown practices solid operation security.

Friday, April 9, 2010

Bank of America Employee Charged With Planting Malware on ATMs Read More

A Bank of America worker installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals, all without leaving a transaction record, according to federal prosecutors.

Rodney Reed Caverly, 37, was a member of the bank’s IT staff when he installed the malware. The Charlotte, North Carolina, man made fraudulent withdrawals over a seven-month period ending in October 2009, according to prosecutors, who’ve charged him with one count of computer fraud.
The Wired piece continues with more detail
The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time.

That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it. At the time, security firm Trustwave warned that the malware was likely headed for ATMs in the United States.

At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert.

There is no information tying the malware found in Russia with the malware allegedly used by Caverly. Bank of America did not immediately respond to a call for comment about the case, but told the Associated Press that the bank discovered the thefts internally. Caverly’s attorney did not return a call.

Nick Percoco, vice president and head of Trustwave’s SpiderLabs Incident Response Team, said the malware does sound like it could be the malware found in East Europe or a version of it.

“[Caverly] could have obtained a copy of that and modified it for his own use,” he told Threat Level. “But the ability to dispense cash without recording activity — that was definitely a feature of the East European malware.”
On a related note, police in Alexandria, Virginia, a mere twenty minutes from campus, reported the discovery of an ATM skimming device. According the Alexandria Police Department, on Sunday February 28, 2010 an ATM skimming device was discovered at the Wachovia Bank at 3624 King Street. The Police noted, "an ATM technician working on the machine found the skimming device. The engineer took photos of the device and went inside the bank to notify the bank’s security office. When he returned a few minutes later, the device had been removed. Several customers have come forward to report fraudulent charges on their bank cards with current losses estimated at over $60,000."

Brian Krebs from Krebsonsecurity.com has extensively covered how criminals have used hardware and software tools to steal ATM card information and pin codes. Check out his reporting here and here.

Tuesday, April 6, 2010

Cyber criminals getting specialized, FBI says

From Federal Computer Week ...

At the FOSE 2010 conference the FBI's deputy assistant director of its Cyber Division, Steven Chabinsky, discussed the increasing specialization of skills in the cyber criminal marketplace. Chabinsky stated, “just like you have doctors who are specialists instead of general practitioners, we have cyber criminals who are specialists instead of general practitioners.”

According to Chabinsky the most common cyber criminal specialities are:

  • Coders or programmers who write malware and exploits
  • Distributors or vendors who trade and sell stolen data
  • Techies who maintain the needed information technology infrastructures
  • Hackers
  • Fraudsters who create social engineering schemes
  • Hosters
  • Money movers
  • Launderers of digital proceeds and
  • People, often without technical skills, who handle personnel issues

Researchers Trace Data Theft to Intruders in China

From the New York Times ...
Turning the tables on a China-based computer espionage gang, Canadian and United States computer security researchers have monitored a spying operation for the past eight months, observing while the intruders pilfered classified and restricted documents from the highest levels of the Indian Defense Ministry.

In a report issued Monday night, the researchers, based at the Munk School of Global Affairs at the University of Toronto, provide a detailed account of how a spy operation it called the Shadow Network systematically hacked into personal computers in government offices on several continents.

The Toronto spy hunters not only learned what kinds of material had been stolen, but were able to see some of the documents, including classified assessments about security in several Indian states, and confidential embassy documents about India’s relationships in West Africa, Russia and the Middle East. The intruders breached the systems of independent analysts, taking reports on several Indian missile systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail messages.
I had the pleasure of meeting one of the Citizen Lab's lead researchers Nart Villeneuve at a NATO conference last year and working with others including Greg Walton and Rafal Rohozinski while a member of Project Grey Goose. These guys do incredible work and have excellent insights into how nation-states and non-state actors use the Internet as a weapon.

There most recent report SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 is well worth the read and many of the reports key findings apply directly to our class discussions. In the report's forward the author's state,
Governments around the world are engaged in a rapid race to militarize cyber space, to develop tools and methods to fight and win wars in this domain. This arms race creates an opportunity structure ripe for crime and espionage to flourish. In the absence of norms, principles and rules of mutual restraint at a global level, a vacuum exists for subterranean exploits to fill.
There is a real risk of a perfect storm in cyberspace erupting out of this vacuum that threatens to subvert cyberspace itself, either through over-reaction, a spiraling arms race, the imposition of heavy-handed controls, or through gradual irrelevance as people disconnect out of fear of insecurity.

For those of you considering examining how nation-states are using cyber weapons to achieve political goals the SHADOW IN THE CLOUD report is a must read.