The Cuckoo's Egg

Congressman lambastes Chinese cyber-espionage

2011-10-04T17:49:00.001-04:00

From the Washington Post,

The chairman of the House intelligence committee on Tuesday launched a broadside against the Chinese government and its efforts to steal commercial data and other intellectual property online, saying that Beijing’s cyber-espionage campaign has “reached an intolerable level” and that the United States and its allies have an “obligation to confront Beijing and demand that they put a stop to this piracy.”

Rep. Mike Rogers (R-Mich.) noted that it might seem odd that a lawmaker charged with overseeing the U.S. intelligence community should lament spying by another government. But he said that China’s espionage activities now extend beyond the U.S. government and military to include scores of private American companies.

Continue reading here

Homeland Security tries to shore up nation’s cyber defenses

2011-10-02T17:00:00.000-04:00

From the Washington Post,

Screens glowed, mice clicked and lines of code scrolled on the laptop monitors of a hacker team hired by Barney Advanced Domestic Chemical Co. — or BAD Company — to break into a rival firm’s computer network.

In another room here at Idaho National Laboratory, a computer operator noticed something wrong. “They’re hitting one of our servers!” he said. The lights in the control room soon failed, and liquid gushed from a set of tanks as green and red lights flashed.

“We’ve got a spillover!” shouted the supervisor. “Call the hazmat team!”

Continue reading here.

2,700 hacking attempts on S.Korea military in year

2011-10-02T16:47:00.000-04:00

From the AFP,

South Korea's military has seen more than 2,700 attempts to hack into its websites over the past year, a lawmaker said Wednesday, amid growing concern over North Korea's cyber warfare capability.

Kim Ok-Lee of the ruling Grand National Party said the military's websites had seen 2,772 hacking attempts from July 2010 to last month, according to data from the defence ministry.

The monthly average number of attacks has grown from some 170 last year to more than 200 in 2011, the ministry said in a report submitted to Kim.

Continue reading here

Suit Claims Real Estate Firm Hacked Rival’s Listings

2011-10-02T16:44:00.000-04:00

From the Wall Street Journal,

Bond New York, a real estate brokerage with hundreds of upscale apartment listings around the city, has been accused of hacking into a competitor’s computer system and stealing listing information.

A.C. Lawrence & Co., a competitor firm, has filed suit in New York Civil Supreme Court, claiming that Bond has been hacking into its computer system since February and stealing exclusive listing information.

Competition among residential brokers for exclusive listings has long been fierce, the suit notes that this appear to be the first time in New York State that a brokerage has been accused of hacking into computers to steal listings.

Continue reading here

There's little privacy in a digital world

2011-10-02T14:16:00.001-04:00

From the LA Times,

During his two-hour morning bike ride, Eric Hartman doesn't pay much attention to his iPhone.

But the iPhone is paying attention to him.

As he traverses the 30-mile circuit around Seal Beach, Hartman's iPhone knows precisely where he is at every moment, and keeps a record of his whereabouts. That data is beamed to Apple Inc. multiple times each day, whether Hartman is using his phone to take pictures, search for gas stations or check the weather.

And it's not just the iPhone that's keeping track.

Continue reading here

Facebook Targeted in Group Privacy Suit Over Internet Tracking

2011-10-02T14:10:00.000-04:00

From BusinessWeek,

Facebook Inc., the world’s most popular social-networking service, was accused by users of the site in a class-action lawsuit of secretly tracking their Web activity after they log off.

The company assures users that “cookie” files installed on their computers to identify them and track their interactions with Facebook applications and websites while they are logged on are removed when they log off, according to a complaint in federal court in San Jose, California. Facebook admitted on Sept. 26 that the cookies track users’ Internet activity after they log off, according to yesterday’s complaint.

Continue reading here

'Lurid' malware hits Russia, CIS countries

2011-09-25T17:51:00.000-04:00

Courtesy of ComputerWorld's Jeremy Kirk,

The latest espionage-related hacking campaign detailed by security vendor Trend Micro is most notable for the country it does not implicate: China.

Researchers from Trend Micro wrote on Thursday that they discovered a series of hacking attacks targeting space-related government agencies, diplomatic missions, research institutions and companies located mostly in Russia but also Vietnam and Commonwealth of Independent States countries. In total, the attacks targeted 1,465 computers in 61 countries.

Read more here

Coordinated ATM Heist Nets Thieves $13M

2011-09-25T17:42:00.002-04:00

Courtesty of Brian Krebs of KrebsOnSecurity.com,

An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.

Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

U.S. Expresses Concern About New Cyberattacks in Japan

2011-09-25T17:33:00.001-04:00

Courtesy of Hiroko Tabuchi of the New York Times,

The United States gave a stern warning on Wednesday over recent cyberattacks on Japan’s biggest defense contractors, the latest in a series of security breaches that have fueled concern about Tokyo’s ability to handle delicate information.

An online assault on defense contractors including Mitsubishi Heavy Industries, which builds F-15 fighter jets and other American-designed weapons for Japan’s Self-Defense Forces, began in August, but only came to light this week, prompting rebukes from Japanese officials over the timing of the disclosure. The IHI Corporation, a military contractor that supplies engine parts for fighter jets, may have also been a target, the Nikkei business daily reported.

Read more here

'Stingray' Phone Tracker Fuels Constitutional Clash

2011-09-25T17:26:00.003-04:00

Courtesy of the Wall Street Journal's Jennifer Valentino-Devries,

For more than a year, federal authorities pursued a man they called simply "the Hacker." Only after using a little known cellphone-tracking device—a stingray—were they able to zero in on a California home and make the arrest.

Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries.

Read more here

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

2011-03-26T10:40:00.000-04:00

From Kim Zetter at Wired's Threat Level Blog,

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.

In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.

“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.

Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.

All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.

Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.

Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.

The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.

“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”

It’s not the first time that the integrity of web certificates has come into question.

Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate.

Hacker Spies Hit Security Firm RSA

2011-03-26T10:35:00.002-04:00

via Kim Zetter at Wired's Threat Level Blog,

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.

The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.

“We are not withholding anything that would adversely impact the security of our customer systems,” said spokesman Michael Gallant. “[But] we’re working with government authorities as well so we’re not disclosing any further information besides what’s on the blog post.”

RSA categorized the attack as an advanced persistent threat, or APT. APT attacks are distinctive in the kinds of data the attackers target. Unlike most intrusions that go after financial and identity data, APT attacks tend to go after source code and other intellectual property and often involve extensive work to map a company’s infrastructure.

APT attacks often use zero-day vulnerabilities to breach a company and are therefore rarely detected by antivirus and intrusion programs. The intrusions are known for grabbing a foothold into a company’s network, sometimes for years, even after a company has discovered them and taken corrective measures.

Last year’s hack into Google was considered an APT attack, and, like many intrusions in this category, was linked to China.

RSA, which is owned by EMC, is a leading firm and is most known for the RSA encryption algorithm used to secure e-commerce and other transactions. The company hosts the top-ranked RSA security conference every year.

for more information visit the Wired Threat Level Blog.

Hey AT&T customers: Your Facebook data went to China and S. Korea this morning…

2011-03-26T10:30:00.002-04:00

From Barrett Lyons's Blog,

Quietly this morning customers of AT&T browsing Facebook did so by way of China then Korea. Typically AT&T customers’ data would have routed over the AT&T network directly to Facebook’s network provider but due to a routing mistake their private data went first to Chinanet then via Chinanet to SK Broadband in South Korea, then to Facebook. This means that anything you looked at via Facebook without encryption was exposed to anyone operating Chinanet, which has a very suspect Modus operandi.
This morning’s route to Facebook from AT&T:

route-server>show ip bgp 69.171.224.13 (Facebook's www IP address)
BGP routing table entry for 69.171.224.0/20, version 32605349
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 4134 9318 32934 32934 32934

The AS path (routing path) translates to this:

1. AT&T (AS7018)
2. Chinanet (Data in China AS4134)
3. SK Broadband (Data in South Korea AS9318)
4. Facebook (Data back to US 32934)

Current route to Facebook via AT&T:

route-server>sho ip bgp 69.171.224.0/20
BGP routing table entry for 69.171.224.0/20, version 32743195
Paths: (18 available, best #6, table Default-IP-Routing-Table)
Not advertised to any peer
7018 3356 32934 32934, (received & used)

Translated: Your data goes from AT&T’s network to US based Level3 Communications to Facebook’s servers.

What could have happened with your data? Most likely absolutely nothing. Yet, China is well known for it’s harmful networking practices by limiting network functionality and spying on its users, and when your data is flowing over their network, your data could be treated as any Chineese citizens’. Does that include capturing your session ID information, personal information, emails, photos, chat conversations, mappings to your friends and family, etc? One could only speculate, however it’s possible.

This brings up a lot of questions:

Should Facebook and or AT&T have notified their customers that their personal information was flowing over a network that they may not trust?
Should Facebook enable SSL on all accounts by default?
Was this actually a privacy breach or just the way the Internet functions?
Does Facebook have an ethical responsibility to buy additional IP connectivity to major broadband and mobile networks to prevent routing mishaps?
Is it time to focus on new options within BGP to prevent high profile sites from routing to non-authenticated networks?

This happens all the time — the Internet is just not a trusted network. Yet, I prefer to know that when I am on AT&T’s network, going to US located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies. I guess that’s why you should not use Facebook in “bareback” mode and use HTTPS (SSL) any time you can.

Food for thought.

It’s Tracking Your Every Move and You May Not Even Know

2011-03-26T10:28:00.001-04:00

via Noam Cohen at the New York Times,

A favorite pastime of Internet users is to share their location: services like Google Latitude can inform friends when you are nearby; another, Foursquare, has turned reporting these updates into a game.

But as a German Green party politician, Malte Spitz, recently learned, we are already continually being tracked whether we volunteer to be or not. Cellphone companies do not typically divulge how much information they collect, so Mr. Spitz went to court to find out exactly what his cellphone company, Deutsche Telekom, knew about his whereabouts.

The results were astounding. In a six-month period — from Aug 31, 2009, to Feb. 28, 2010, Deutsche Telekom had recorded and saved his longitude and latitude coordinates more than 35,000 times. It traced him from a train on the way to Erlangen at the start through to that last night, when he was home in Berlin.

Mr. Spitz has provided a rare glimpse — an unprecedented one, privacy experts say — of what is being collected as we walk around with our phones. Unlike many online services and Web sites that must send “cookies” to a user’s computer to try to link its traffic to a specific person, cellphone companies simply have to sit back and hit “record.”

“We are all walking around with little tags, and our tag has a phone number associated with it, who we called and what we do with the phone,” said Sarah E. Williams, an expert on graphic information at Columbia University’s architecture school. “We don’t even know we are giving up that data.”

Tracking a customer’s whereabouts is part and parcel of what phone companies do for a living. Every seven seconds or so, the phone company of someone with a working cellphone is determining the nearest tower, so as to most efficiently route calls. And for billing reasons, they track where the call is coming from and how long it has lasted.

“At any given instant, a cell company has to know where you are; it is constantly registering with the tower with the strongest signal,” said Matthew Blaze, a professor of computer and information science at the University of Pennsylvania who has testified before Congress on the issue.

Mr. Spitz’s information, Mr. Blaze pointed out, was not based on those frequent updates, but on how often Mr. Spitz checked his e-mail.

Mr. Spitz, a privacy advocate, decided to be extremely open with his personal information. Late last month, he released all the location information in a publicly accessible Google Document, and worked with a prominent German newspaper, Die Zeit, to map those coordinates over time.

“This is really the most compelling visualization in a public forum I have ever seen,” said Mr. Blaze, adding that it “shows how strong a picture even a fairly low-resolution location can give.”

In an interview from Berlin, Mr. Spitz explained his reasons: “It was an important point to show this is not some kind of a game. I thought about it, if it is a good idea to publish all the data — I also could say, O.K., I will only publish it for five, 10 days maybe. But then I said no, I really want to publish the whole six months.”

In the United States, telecommunication companies do not have to report precisely what material they collect, said Kevin Bankston, a lawyer at the Electronic Frontier Foundation, who specializes in privacy. He added that based on court cases he could say that “they store more of it and it is becoming more precise.”

“Phones have become a necessary part of modern life,” he said, objecting to the idea that “you have to hand over your personal privacy to be part of the 21st century.”

In the United States, there are law enforcement and safety reasons for cellphone companies being encouraged to keep track of its customers. Both the F.B.I. and the Drug Enforcement Administration have used cellphone records to identify suspects and make arrests.

If the information is valuable to law enforcement, it could be lucrative for marketers. The major American cellphone providers declined to explain what exactly they collect and what they use it for.

Verizon, for example, declined to elaborate other than to point to its privacy policy, which includes: “Information such as call records, service usage, traffic data,” the statement in part reads, may be used for “marketing to you based on your use of the products and services you already have, subject to any restrictions required by law.”

AT&T, for example, works with a company, Sense Networks, that uses anonymous location information “to better understand aggregate human activity.” One product, CitySense, makes recommendations about local nightlife to customers who choose to participate based on their cellphone usage. (Many smartphone apps already on the market are based on location but that’s with the consent of the user and through GPS, not the cellphone company’s records.)

Because of Germany’s history, courts place a greater emphasis on personal privacy. Mr. Spitz first went to court to get his entire file in 2009 but Deutsche Telekom objected.

For six months, he said, there was a “Ping Pong game” of lawyers’ letters back and forth until, separately, the Constitutional Court there decided that the existing rules governing data retention, beyond those required for billing and logistics, were illegal. Soon thereafter, the two sides reached a settlement: “I only get the information that is related to me, and I don’t get all the information like who am I calling, who sent me a SMS and so on,” Mr. Spitz said, referring to text messages.

Even so, 35,831 pieces of information were sent to him by Deutsche Telekom as an encrypted file, to protect his privacy during its transmission.

Deutsche Telekom, which owns T-Mobile, Mr. Spitz’s carrier, wrote in an e-mail that it stored six months’ of data, as required by the law, and that after the court ruling it “immediately ceased” storing data.

And a year after the court ruling outlawing this kind of data retention, there is a movement to try to get a new, more limited law passed. Mr. Spitz, at 26 a member of the Green Party’s executive board, says he released that material to influence that debate.

“I want to show the political message that this kind of data retention is really, really big and you can really look into the life of people for six months and see what they are doing where they are.”

While the potential for abuse is easy to imagine, in Mr. Spitz’s case, there was not much revealed.

“I really spend most of the time in my own neighborhood, which was quite funny for me,” he said. “I am not really walking that much around.”

Any embarrassing details? “The data shows that I am flying sometimes,” he said, rather than taking a more fuel-efficient train. “Something not that popular for a Green politician.”

Humor: CIA's 'Facebook' Program Dramatically Cut Agency's Costs

2011-03-21T22:28:00.000-04:00

CIA's 'Facebook' Program Dramatically Cut Agency's Costs

hat tip to the Onion

Viewdle Lets the Camera Recognize Your Friends

2011-02-17T11:20:00.002-05:00

Via the Wall Street Journal ...

Few technologies have improved as steadily as digital cameras, long a standard feature in cellphones. But a new phase may be coming, as companies like Viewdle allow smartphones to recognize who is in a photograph as it’s taken.

The broader concept–a hot topic at this week’s Mobile World Congress in Barcelona–is called augmented reality. The term refers to overlaying labels, graphics and other information on images seen through a cellphone camera viewfinder.

In the prototypical scenario, a customer looking at goods on a shelf or walking by a restaurant could see reviews or product information superimposed on the display, allowing them to make smarter purchases. Many companies are working in the field and discussing developments this week, including metaio, a Munich-based software developer that also has offices in San Francisco.

Viewdle, based in Palo Alto, Calif., has been specializing in technology that could help apply information to faces. It has developed algorithms to recognize people in photographs and apply identifying tags–an automated alternative to the tagging that many users of Facebook and other sites do manually.

That’s not an entirely new trick. But it usually requires heavy-duty computing horsepower, often carried out by connecting to servers on the Internet in a process after a photo is taken.

Viewdle, which has grown since 2007 to 60 employees, believes it is breaking new ground in allowing smartphones to do these calculations on their own–and in real time, as faces come into a camera’s field of view. (Its software works by comparing faces it detects with images that have been previously stored and identified). The company’s website features a video of five women walking down the street toward the camera, with labels popping up that identify them and post their Facebook comments in real time.

Chip makers like augmented reality, in part because it takes a lot of computing cycles. Qualcomm, for instance, is an investor in Viewdle, which is making sure its software takes advantage of Qualcomm chips.

But Viewdle is not playing favorites. At the Barcelona event, the company is announcing a development kit to help software developers create apps that take advantage of its technology, and optimizing its software also to exploit Texas Instruments’ chips as well as Google’s popular operating system for cellphones. “It will run on all Android devices,” says Jason Mitura, Viewdle’s chief product officer.

When will consumers get to see the results? Viewdle will start by offering its own app, expected to be available in late March. Besides waiting for other apps to follow, the company is also trying to get handset makers to include the capability in their products, Mitura says.

Qualcomm, meanwhile, on Tuesday announced the winners in a contest it hosted for augmented reality applications, putting up $200,000 in total prize money. Taking first place, which entitled them to $125,000, were two men from Lithuania who developed an interactive game called Paparazzi. In it, the player looking through the smartphone viewfinder sees the superimposed image of a vain celebrity.

“You try to take a picture of the virtual guy,” says Jay Wright, a Qualcomm director of business development, before the celebrity gets agitated and attacks.

while anonymity does not equal privacy, the development of technologies like this lay bare the challenges that we face as a society in protecting our privacy and security in the digital age.

Federal Officials Call For Better Privacy, Security Protections Online

2011-02-17T11:07:00.001-05:00

Via Dennis Fisher at ThreatPost ...

The Obama administration's top information security officials hit the stage at the RSA Conference Tuesday, looking to drum up support for several of the president's key security and privacy initiatives, including a still-nebulous plan for protecting users' freedom and privacy on the Web.

The plea for help from the thousands of security experts and enterprise executives gathered here for RSA came from Howard Schmidt, the president's cybersecurity adviser and Philip Reitinger, the deputy undersecretary of the National Protection and Programs directorate at the Department of Homeland Security, who spoke as part of a town hall meeting on cybersecurity. Schmidt, a former top security official at Microsoft and eBay, used the Internet shutdown that accompanied the recent revolution in Egypt as an example of what President Obama wants to prevent.

"It is incumbent upon all of us to make sure that we preserve those freedoms," Schmidt said. "We're going to hold others accountable on Internet freedom and make sure that we do those same things ourselves. We need to lead by example."

Earlier in the day, Secretary of State Hillary Clinton gave a similar speech to a group of students at George Washington University in which she emphasized the need for some framework of rules to help guarantee a basic level of freedom online.

"For the United States, the choice is clear. On the spectrum of Internet freedom, we place ourselves on the side of openness. Now, we recognize that an open Internet comes with challenges. It calls for ground rules to protect against wrongdoing and harm. And Internet freedom raises tensions, like all freedoms do. But we believe the benefits far exceed the costs," Clinton said.

What's less clear in all of this is exactly what the Obama administration intends to do to achieve these goals. At RSA, Schmidt and Reitinger both said that in order to improve both security and privacy online, the government needs help from the private sector. This has been a common theme in government information security plans for more than a decade and the idea of more public-private partnerships has been dismissed by many in the industry as futile. But Reitinger said that they can work if done correctly.

"When we say public-private partnership, people don't know what we mean. Neither the government nor the private sector can solve these problems on their own," he said. "People hear this and think we're just going to walk away saying kumbaya. That's not what we're talking about. The successful ones actually are a partnership and they're real and outcome-focused."

None of the panelists offered much in the way of specifics on what the administration planned to do, aside from previously announced initiatives such as the plan to create online IDs. But Schmidt stressed that there were plans in the works that would get things moving.

"We need to ensure we have the safeguards in place to protect people," he said. "It's all about collaboration. We need new ways to work faster. It's critical to our future and having that economic engine that we all need."

Lawmaker Introduces New Privacy Bill

2011-02-13T19:19:00.000-05:00

Via the Wall Street Journal ...

Rep. Jackie Speier, D-Calif., introduced a bill Friday that would give the Federal Trade Commission authority to establish an online do-not-track system.

The bill is the first in this session to specifically tackle the creation of a do-not-track system, according to a spokesman for Ms. Speier. In December, the FTC issued a report recommending the creation of a do-not-track system and suggested that lawmakers use the report as a template for legislation.

Since the FTCs recommendation, Mozilla Corp. has said it will include a do-not-track feature in an upcoming version of its Firefox Web browser. But so far, no tracking companies have publicly stated that they will participate in a do-not-track system.

In its newest Internet Explorer browser, Microsoft will allow users to stop certain websites and tracking companies from monitoring them. And Google last month began offering a tool that lets users of its Chrome browser permanently opt out of ad-tracking cookies.

Representatives of the three companies sparred gently over the merits of the differing approaches at a conference Wednesday at the University of California, Berkeley. Alex Fowler, Mozilla’s global privacy and public-policy leader, said it wanted to give users flexibility in choosing the companies they will and won’t allow to track them.

“We’ve done this intentionally because there is a spectrum of values across our users,” Mr. Fowler said. Some “don’t want to see ads or be tracked” at all, while others “see value in free services by receiving free advertising.”

Privacy issues are heating up on Capitol Hill. Earlier this week, Rep. Bobby Rush, D-Ill., re-introduced privacy legislation that he introduced during the last session of Congress. His bill would establish baseline federal privacy laws around the collection of personal data. Rep. John Kerry, D-Mass., is also expected to introduce privacy legislation in the coming weeks.

There is no comprehensive U.S. law that protects consumer privacy online. Internet privacy issues generally are policed by the FTC, which can take action only if a privacy-violating action is deemed “deceptive” or “unfair.” Last year, the Obama Administration called for a Web privacy “bill of rights” to help regulate the personal data collection industry.

Of course, these Democratic bills face challenges in the Republican House of Representatives. Ms. Speier said while the bill has two co-sponsors, both Democrats, she is “hopeful we’ll find Republican co-sponsors — we’re hopeful of finding Tea Party-Republicans, because that’s a closely held value” of Tea Party Conservatives, she told Digits.

Ms. Speier also noted support from the Consumers’ Union, Consumer Action, Consumer Federation of America, Consumers Watchdog and the American Civil Liberties Union. The Congresswoman predicted broad support because “86 percent of the public that has been polled nationally wants to have the option of not being tracked.”

Chris Lee Resigns After Craigslist Photos Come To Light

2011-02-13T19:13:00.003-05:00

From your classmate Ife via the Huffington Post...

Rep. Chris Lee (R-N.Y.) announced early Wednesday evening that he will resign his seat in the U.S. House of Representatives.

Buffalo-based station YNN relays a statement from Lee, who has signaled that he will vacate his post immediately:

"It has been a tremendous honor to serve the people of Western New York. I regret the harm that my actions have caused my family, my staff and my constituents. I deeply and sincerely apologize to them all. I have made profound mistakes and I promise to work as hard as I can to seek their forgiveness.
"The challenges we face in Western New York and across the country are too serious for me to allow this distraction to continue, and so I am announcing that I have resigned my seat in Congress effective immediately."
News of Lee's decision to step down comes just hours after it was reported that the married congressman sent shirtless photos of himself to a woman who he connected with on the "Women Seeking Men" section of Craigslist.

HuffPost's Nick Wing reported earlier in the day:

According to Gawker, the 46-year-old married Republican responded to a listing posted last month by a 34-year-old woman looking for "financially & emotionally secure" men who "don't look like toads."
In an email, sent from an account admittedly registered to Lee, someone reportedly replied, claiming to be a 39-year-old, "6ft 190lbs blond/blue," "divorced" "lobbyist."
After a few flirty back-and-forths, the woman told Gawker that Lee sent her a picture of himself, sans shirt.
Asked for comment, Lee's spokesman provided a denial and claimed that the congressman's email account had been hacked.
"The Congressman is happily married," the spokesman told Gawker. "The only time he or his wife posted something online was to sell old furniture when they changed the apartment they keep in DC."

__
UPDATE: "People cheat everyday, but only dumb people get caught," said the woman who received the half-naked photos. She gave a full interview to TheLoop21.com on Wednesday night.

Her blunt evaluation comes after receiving flirty emails that used the congressman's name, originated from the email address associated with his Facebook profile (since deleted), and contained photos that clearly seemed to show his face -- and shirtless torso. So much for internet anonymity.

The woman, who works in government, requested to maintain her own anonymity in exchange for the accounts provided to Gawker and TheLoop21. HuffPost spoke with a friend of the woman who confirmed her story about getting the emails and photos after posting a personal ad on Craigslist.

In the interview with TheLoop21.com, the woman said she figured the story put forward by Lee's spokesman about a hacker was "bullsh*t."

"Dating in D.C. sucks," she summed up. Click here for more.

Denying allegations

2011-02-13T18:52:00.002-05:00

Interesting thoughts from Lawrence on maintaining our reputations in the digital age ...

Trust and reputation are two important aspects of civilization. The former is often influenced by the latter. You would not trust someone who has been charged with fraud or other such crimes. You would not vote for a politician that has been accused of (often sexually) harassing interns. In the last century, we relied on a wide array of evidence to judge whether the individual was guilty or not. Evidence such as video surveillance tapes, phone records, credit card bills and many other things. I listed these forms of evidence because I want to discuss their legitimacy in court in the 21st century.

Technology has a advanced dramatically in the recent years and we have become capable of incredible feats often experienced in movies (i.e. avatar) or less often in the form online theft (by hackers all over the world) draining your bank account.
My worry is that video surveillance and many other things might be easily altered to fit the crime (or not). Thus undermining their validity as evidence in court.
I’ll give you a few illustrations. Facebook accounts can be hacked, therefor the content also, can be altered. Imagine someone ‘unearthing’ incriminating pictures of you on Facebook and consequently, you are arrested and put on trial. You know that the pictures are fake because you never found yourself in the situation depicted on the picture. Of course you don’t, they were photo-shopped by someone who has something to gain by you going to prison. The jury does not believe your account and sends you to prison for whatever you have done (not fair, I know). Replace Facebook in this whole story with other things like credit card bills or phone call records and come to the same conclusion.

The modern court of tomorrow will pick up on these practices and revise their list of approved forms of evidence (excluding things like mentioned above).
Imagine a politician that did sexually harass an intern and it was caught on tape. This politician happened to have many allies and enemies. In court, the politician could clame that the person on the video is not really him, but a virtually rendered version of him by animators and programmers (think about animated movies these days). The court has reason to believe him because he has many enemies who would gain by faking something like this.

Therefore, technology (hacking etc) can render many forms of evidence useless.

My concern is the way we use the internet and how we behave on it. How will we be able to hold each other accountable (online) if all the things we do (good or bad) can be brushed off as conspiracy if someone presses charges?

Exabytes: Documenting the 'digital age' and huge growth in computing capacity

2011-02-13T18:43:00.002-05:00

A hat tip to two of your classmates Katharina and Katie for pointing this Washington Post article out to me ...

Megabytes are dead.

Gigabytes are passe.

So much digital data now moves around the globe that those who endeavor to measure it employ a new - or new to non-nerds - term.

Meet the exabyte.

How much data is an exabyte? It's a billion gigabytes - and it signifies just how digital and data-intensive the world has become.

In 2007, the global capacity to store digital information - on computer hard disks, smartphones, CDs and other digital media - totaled 276 exabytes, a new report finds.

How much is that? Imagine a stack of CDs - each holding an album's worth of digital music - shooting from the top of your desk to 50,000 miles beyond the moon.

But not everyone has equal access to those resources. In fact, the digital gap between rich and poor countries appears to be growing, said Martin Hilbert of the University of Southern California, who led the audacious effort to tally all of civilization's information and computing power.

In 2002, people in developed countries had access to eight times the bandwidth - or information-carrying capacity - of people in poorer nations, Hilbert said, citing data he will publish soon. By 2007, that gap had almost doubled.

"If we want to understand the vast social changes underway in the world, we have to understand how much information people are handling," Hilbert said.

To address that question, Hilbert and co-author Priscila Lopez spent four years poring over 1,110 sources of information spanning from 1986 to 2007, including sales data from computer and cellphone makers and the music and movie industries.

In 1986, a year after digital CDs widely debuted, vinyl records still accounted for 14 percent of all data on Earth, with audiocassettes holding an additional 12 percent.

By 2000, digital media accounted for just 25 percent of all information in the world.

After that, the prevalence of digital media began to skyrocket. In 2002, digital storage capacity outstripped the non-digital variety - mostly paper and videotapes - for the first time.

"That was the turning point," said Hilbert, who published the report in the journal Science. "You could say the digital age started in 2002. It continued tremendously from there."

By 2007, the last year documented in the study, 94 percent of all information storage capacity on Earth was digital. The other 6 percent resided in books, magazines and other non-digital formats, particularly videotape, Hilbert and Lopez found.

But despite the forecasts of futurists, a paperless world has not arrived. Although stupendously outstripped in growth by digital media, the amount of paper produced for books, magazines, newspapers and office use climbed steadily over the two decades of the study.

As for computing power - the number of calculations per second available in all of the computers in the world - that grew faster than even information storage, muscling ahead at an average annual growth rate of 58 percent over 21 years. Information storage, in contrast, grew at a rate of 23 percent.

Of course, for anyone tethered to an iPhone, Gmail and Facebook all day, all of this probably comes as no surprise.

That daily digital activity contributes to a churning information tsunami. Humans generate enough data - from TV and radio broadcasts, telephone conversations and, of course, Internet traffic - to fill our 276 exabyte storage capacity every eight weeks, Hilbert said. Of course, most of the digital traffic is never stored long term, evaporating into the ether.

The study prompts deep questions, one of which Hilbert plans to explore soon: How much of this data deluge is truly useful? Or, as Hilbert distilled it, "What's the value of watching a silly cat video versus reading an overpriced book?"

While we wait for an answer, social scientists worry that the mounting data carry a hidden cost: disconnection from one another.

"We'd like to think that [information technology] changes everything, that the amazing statistics these authors cite mean that our society has fundamentally and irreversibly changed," said Thomas J. Misa, who studies the history of technology at the University of Minnesota. "I'm a bit more skeptical." After all, Misa said, "there are still secret prisons in Cairo where government agents savagely beat people. Cellphones and social media didn't change that."

Perhaps not, but widespread reports from Egypt suggest that online social networking contributed to - or even prompted - the ongoing demonstrations there.

The study also found that Earth had 3.4 billion cellphones in 2007, with telecommunications traffic growing at an average rate of 28 percent per year between 1986 and 2007. That's a lot of minutes on your plan.

In a second report Hilbert plans to publish in a few months, he found that an ever-increasing slice of our daily data resides not on home computers and the smartphones in our pockets, but in giant data warehouses owned by Google, Facebook, Citibank, the federal government and other huge entities. Microsoft's recent ad campaign touts the benefits of moving all of your personal data to "the cloud," invoking white puffs that magically - and cleanly - store our home photos.

The reality is much dirtier. In 2006, the nation's "server farms" - the home of the cloud - sucked down 1.5 percent of all electricity in the United States, double the amount used in 2000, the Environmental Protection Agency reported. Congress ordered the report out of concern that our insatiable demand for Facebook and YouTube would push the United States to build 10 new pollution-spewing coal plants.

But Hilbert offers a humbling comparison. Despite our gargantuan digital growth, the DNA in a single human body still stores far more information - and a single human brain computes far more calculations - than all the technology on Earth.

"Compared to Mother Nature," Hilbert said, "we are humble apprentices."

Fake Dating Site Lifts Pictures And Names from Facebook -- Without Asking

2011-02-07T08:06:00.002-05:00

From the San Francisco Chronicle ...

A pair of artists gathered the public profiles of more than 1 million Facebook users, then took the pictures and created a fake dating site called Lovely-Faces.com.

Users can search based on nationality, traits like "easy going," and gender, or can simply enter a name and see if they're in the database. When users click a result to "arrange a date," they're taken to the person's public Facebook profile.

The site scraped Facebook data without permission, and the company told Wired that it's not amused and will "take appropriate action."

Basically, it looks like an awkward commentary on the shallowness of online dating profiles and Facebook's confusing privacy policies, but violating privacy to make a point about privacy doesn't work very well.The artists, Paolo Cirio and Alessandro Ludovico, tried to explain their point in a press release issued yesterday (PDF here), but it's basically a bunch of gibberish -- or maybe that's part of the art.

Did the Internet Kill Privacy?

2011-02-07T06:32:00.000-05:00

From CBSNews ...

"For the first time, people were sneaking around taking photos of other people without their permission," said Lane.

It sparked a 1890 Harvard Law Review article in which future Supreme Court Justice Louis Brandeis and attorney Samuel Warren warned against an ongoing loss of privacy!

Today, one of the fastest-growing businesses on the Internet is something called data mining: companies collecting our private information, packaging it, using it, selling it.

Michael Fertik, a Harvard Law School grad who runs a company called Reputation.com, came up with information I thought was private. I was wrong.

"I think this is your Social Security number," Fertik said. It was!

He also revealed what he called my "online reputation," based mainly on where I happen to live.

"Our query is pretty confident that you're a Democrat and pretty confident that you're a Catholic," Fertik said.

"But that may not be correct," said Moriarty.

"It may just not be correct," he explained.

And then there's something that could cause a real headache down the road …

"There's an Erin F. Moriarty who grew up just a few miles where you did, who has been convicted of serving alcohol to minors," Fertik said. "And it'd be very easy for a machine to confuse you and that person, and to think that you are a convicted criminal."

Even though the OTHER Erin is 20 years younger!

Fertik's company helps people track down and correct misinformation. But most of us will never even know it's there.

"The dossier on each of us that is easily aggregated digitally is now probably, let's call it ten pages," Fertik said. "Four years ago it was two pages. In four or five years, it's going to be 100 pages. Why? Because the amount of data that is being collected about each of us, proliferates. Your phone records, your rental records, those different databases that no one originally intended to be combined with one another are being combined now with blazing speed."

But David J. Moore, who runs 24/7 RealMedia, an Internet advertising firm, seems unfazed.

He points out that marketing information about potential customers is really nothing new.

"Magazine publishers for years have been selling the list of subscribers they have to the advertisers that want to send a mailing to them," he said.

And keep in mind: the more specific and detailed the information, the better companies can target their advertisements to customers who really want it.

"Let's ask the 500 million people that are on Facebook how concerned are they about their privacy," Moore said. "Or the 100 million that are on MySpace? Most of them really don't care."

Don't tell that to high school teacher Ashley Payne.

"Yes, I put it on the Internet, so you can make that argument," she said. "But it sort of feels like the same thing as if I had put the pictures in a shoebox in my house and someone came in and took them and showed one of them to the principal."

What's worse, after she resigned her job at Apalachee High School, Payne says she learned the original complaint came in an anonymous e-mail - not in a phone call from an angry parent.

"No parent has ever claimed it," Payne said. "There's never been any other complaints against me at this school from teachers, students or parents."

Officials at the Barrow County Schools, who declined to speak to "Sunday Morning," have so far refused to re-hire Payne.

In court documents, they say teachers were warned about "unacceptable online activities" by the district. Payne's page, they say, "promoted alcohol use" and "contained profanity."

She is now in graduate school and is suing the district. She says she wants to be sure that the Internet won't just record how Ashley Payne lost her job, but that she fought back.

"I want to clear my name, first of all," she said. "And I just want to be back in the classroom, if not that classroom, a classroom. I want to get back doing what I went to school for, my passion in life."

Vodafone network 'hijacked' by Egypt

2011-02-03T14:39:00.002-05:00

From the BBC ...

Mobile phone firm Vodafone has accused the Egyptian authorities of using its network to send unattributed text messages supporting the government.

Vodafone was told to switch off services last week when protests against President Hosni Mubarak began.

But the authorities then ordered Vodafone to switch the network back on, in order to send messages under Egypt's emergency laws, the firm said.

In a statement, Vodafone described the messages as "unacceptable".

"These messages are not scripted by any of the mobile network operators and we do not have the ability to respond to the authorities on their content."

Likely cost

The Paris-based Organisation for Economic Co-operation and Development says that the government clampdown on internet services may have cost the Egyptian economy as much as $18m (£11m) a day or $90m in total.

The impact of the communications block could be even greater, as it would be "much more difficult in the future to attract foreign companies and assure them that the networks will remain reliable", said the OECD in a statement.

In another development, the credit ratings agency Fitch has downgraded the Egypt's debt grade by one notch to BB from BB+, citing the consequences of the continuing political unrest on the economy.

The country's debt grade has already been downgraded by two other ratings agencies, Moody's and Standard & Poor's.

The estimation of the economic impacts of the network shutdown are interesting, but I found the reporting on how the Egyptian government used the Vodafone network to disseminate propaganda more relevant to our in-class discussions.

Facebook treads carefully after its vital role in Egypt's anti-Mubarak protests

2011-02-03T08:27:00.003-05:00

A fascinating look at Facebook's role in helping anti-government protesters in Egypt and around the world by the Washington Post's Cecilia Kang and Ian Shapira:

In Egypt, the tried-and-true tool for opponents of President Hosni Mubarak in recent years has been Facebook. Most recently, it was on Facebook - which boasts 5 million users in Egypt, the most in the Arab world - where youthful outrage over the killing of a prominent activist spread, leading to the protests in Cairo's Tahrir Square and Mubarak's promise to step down this year.

But Facebook, which celebrates its seventh birthday Friday and has more than a half-billion users worldwide, is not eagerly embracing its role as the insurrectionists' instrument of choice. Its strategy contrasts with rivals Google and Twitter, which actively helped opposition leaders communicate after the Egyptian government shut down Internet access.

The Silicon Valley giant, whether it likes it or not, has been thrust like never before into a sensitive global political moment that pits the company's need for an open Internet against concerns that autocratic regimes could limit use of the site or shut it down altogether.

"The movement [in Egypt] was very dependent on Facebook," said Alaa Abd El Fattah, an Egyptian blogger and activist in South Africa who has a strong following in Egypt. "It started with anger then turned into a legitimate uprising."

The recent unrest in Egypt and Tunisia is forcing Facebook officials to grapple with the prospect that other governments will grow more cautious of permitting the company to operate in their countries without restrictions or close monitoring, according to David Kirkpatrick, author of "The Facebook Effect," an authorized biography of the company's history. Facebook is also looking at whether it should allow activists to have a measure of anonymity on the site, he said.

"I have talked to people inside Facebook in the last week, and they are debating this internally," Kirkpatrick said. "Many countries where Facebook is popular have autocracies or dictatorships, and most of the countries have passively tolerated their popularity. But what's happened in Egypt or Tunisia is likely to change other countries' attitudes, and they'll be more wary of Facebook operating there."

A Facebook spokesman, Andrew Noyes, declined to make anyone at the company available to discuss its role in the Egypt protests or its strategy in politically fraught environments. In a short statement, Noyes said: "Although the turmoil in Egypt is a matter for the Egyptian people and their government to resolve, limiting Internet access for millions of people is a matter of concern for the global community. It is essential to communication and to commerce. No one should be denied access to the Internet."

(Washington Post Co. Chairman Donald E. Graham sits on Facebook's board.)

Even when Facebook has actively helped protesters work around government intrusions, the company casts its moves as mere technical solutions. Last month, after Tunisian security officials used a virus to secretly collect local Facebook user IDs and passwords, the Internet giant took action. It rerouted Tunisia's Facebook traffic to a site where local Internet service providers couldn't gobble up user information.

In a statement released to The Post, the company said it viewed the predicament as just a "security problem" in need of a fix.

"Certainly there's a political context to the particular circumstance in Tunisia, but from Facebook's perspective, what happened was a security problem that required a technological solution: we prevented an exploit that was making Facebook accounts vulnerable and restored the integrity of the compromised accounts," wrote Joe Sullivan, Facebook's chief security officer. "We would have taken the same approach in any situation where we saw a systematic exploit."

Yet Facebook seems to be veering in a different direction than Google, which has battled China over censorship, or Twitter, the microblogging site that earned renown during the Iranian protests of 2009 for delaying a scheduled shutdown and facilitating civil protest in Tehran. This week, Twitter, Google and SayNow, a voice-based social media platform, launched a service that provides Egyptians with phone numbers to call and leave messages, which are recorded and posted on the Internet. It's called Tweet2Speak.

In early 2010, in the wake of Google's censorship clashes with China, Facebook was one of a handful of companies blasted by Congress for refusing to participate in Senate committee hearings that examined how Silicon Valley companies were operating with foreign governments. Facebook responded at the time by saying it had no employees in China and that it was a different kind of business than Google.

Facebook's director of public policy, Tim Sparapani, wrote in a letter to Sen. Richard J. Durbin. (D-Ill.): "These conflicting approaches presents challenges for companies, particularly ones such as Facebook that are small and growing, to navigate new markets around the world without strong support from national governments and multinational institutions."

Facebook hasn't joined the Global Network Initiative, a nonprofit coalition of communications companies - including Microsoft, Google and Yahoo - established to create anti-censorship standards around the world. (Twitter hasn't joined, either.)

Some advocates of online free speech say Facebook can no longer linger on the sidelines.

"The good news for Twitter and Facebook is how important they are, and one should congratulate them for being critical tools," said John Palfrey, the co-director of Harvard University's Berkman Center for Internet & Society. "But also, there is an obligation that comes with that level of adoption."

Even though Facebook has refrained from taking overtly political stances on Egypt, the social network remains a vital tool for conveying anti-government news about Egypt.

Riyaad Minty, al-Jazeera's social-media head, said the news agency has been live-streaming its coverage of the protests on its Facebook fan pages in the United States and Arab world, boosting its fan volume by 30 to 50 percent; its half-dozen status updates about the crisis have reaped 10 million views a day, up from the 2 million daily views the pages had previously, Minty said.

"I do think governments see Facebook as a political tool, which is why Egypt has shut off the Internet," said Minty, adding that he prefers Facebook's more objective approach so it does not unnecessarily rattle conservative foreign leaders.

Additionally, Facebook ad sales teams have been helping al-Jazeera capitalize on Egypt's crisis to attract more eyeballs in the United States and build up a new, loyal audience.

"They've been giving us strategic advice," he said. "We're targeting people over 18, and our big push has been toward the U.S. audience."

Some Internet experts say Facebook needs to determine how to protect its users in countries with restrictive regimes, but the company's terms of use - which require members to use real identities - make protesters vulnerable to government spying. Facebook chief executive Mark Zuckerberg has insisted on the policy, saying the site would lose integrity if people hid behind phony identities.

"People at Facebook have been asking themselves in the wake of Egypt or Tunisia whether there might be a way they can allow political activities in these spontaneous revolts to acquire a little bit of anonymity," said Kirkpatrick, the company's biographer. "The problem is, if they start making it easier for political activists to use Facebook in places like Egypt or Tunisia, those same capabilities are likely to be used by people we don't admire or pro-government thugs."

Kirkpatrick added that these choices all come down to the company's famously private CEO.

"Inside Facebook," he said, "there's really only one person who makes these decisions. He has to decide."

Pay particular attention to the offense vs defense battle between nation-states and opposition movements. Specifically, how nation-states try to use platforms like Facebook to gather information on its opponents, while opposition parties attempt to use Facebook and other tools to rally dissent. This piece provides a fascinating perspective on the emerging battleground in cyberspace and how privacy and security are intertwined.

The Internet Should Not Be Anonymous

2011-02-02T23:08:00.002-05:00

Via Roger Grimes at PCWorld

The news of the U.S. government's latest attempt at a national citizen "Internet ID" brought yet another round of choruses: The Internet must be free! Any government ID plan is bad! Anonymity for all forever! Perform an Internet search on "Obama national Internet ID" to see the screeds against the proposed plan. Security experts around the world are saying the government would have to pry their anonymity from their cold, dead touchscreens.

I chuckled at these angry responses because they sound like the heated calls for anarchy in the 1970s from tattooed punk rockers smoking unfiltered Camels while the Sex Pistols played in the background. The difference is the angry masses in this case are being riled up by security experts, who have been ranting wildly enough to spill their expensive Imperial Stout all over their tablet devices and brie salads.

Notably, the details behind the plan are scarce right now. The rationale, according to U.S. Commerce Secretary Gary Locke, is "enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

Even though I'm a huge privacy proponent, I get a little tired of seeing every proposal for a national or government ID met with absolute aversion. Security isn't binary. If a national ID plan offers more benefits than disadvantages, then I don't want to throw the baby out with the bathwater.

Total Internet anonymity means total anarchy

Just like the anarchist who is the first to call the police when punched in the face over his or her beliefs, the Internet would fall if we had total anonymity and no means of ensuring trust. Without strong authentication, authorization, and accounting, even places on the Internet meant for total anonymity would fail. The Internet would not be the Internet. Why? Because someone has to pay the bills and maintain control.

If the Internet was completely anarchistic, with no access control, websites would be constantly taken down, denial-of-service attacks would be even more common than they are today, and anyone could pretend to be anyone else. (This is already all too easy to do on Facebook, one of the biggest websites ever.)

Someone has to exert control and make sure ill-intentioned people don't take it all down. In the perfect world, no one would ever try to take down a website or disrupt someone else's legitimate actions. But human beings are imperfect and often seem overly capable of damaging other people's resources and experience. Case in point: I consulted for the owners of a thoroughly hacked website that had been created for collecting donations for a child's cancer treatment. I'm sure the hacker has plenty of personal excuses to rationalize his or her behavior.

Driver's licenses aren't all bad

I think most of us agree that some form of access control is needed in order for the Internet to be a useful tool for billions of people, especially as more and more critical services go online. The real question: How much control and who should control it? I'm pretty sure I don't want any government controlling the Internet, but I'm not sure a national logon ID is a complete takeover.

A lot of people whom I respect and admire are totally against any government agency requiring anyone to have a common identifier in the real world, such as a Social Security number or a passport, or on the Internet. They argue that such IDs are guaranteed to be hacked, abused, and misused -- both by malicious people and the very governments that issue them.

I understand the inherent concerns about giving any entity total trust, but a blanket statement against any common and trusted ID doesn't seem to be fair either. Although common IDs are largely imperfect, they provide value all throughout society. For example, I'm delighted that underage children aren't allowed to drive cars and that adults are forced to take a test before they can. I like that my world has street names and sequenced housing addresses so that it's easier for mail to be delivered and for the fire department and rescue squads to find my house.

For each ID we have, we should ask ourselves if society is better off with or without it. I'm not talking about using scary edge cases as the determiner, but looking at all the positives and negatives before registering complete disdain.

Know your Net neighbors

Perhaps you support the idea of driver's licenses and passports but still don't see how a national Internet ID would make the Web a safer place. Well, if the system could improve identity assurance (that is, the person is who they say they are), then it could prove useful. Maybe it would require two- or multifactor, biometric identification. A well-designed authentication system would consider all the components of the system and elevate or de-elevate assurance levels as appropriate.
This wouldn't stop hacking -- or identity theft, for that matter -- because bad guys can simply reuse credentials after the person has successfully authenticated on their compromised workstation. But it would be better than the default simple name and passwords we use today.

The details behind the Obama administration's push for a national Internet ID aren't known. But I do know that the Internet needs to be a more trustworthy place than it is today, and I'm willing to listen to new solutions that might help -- at least long enough to learn all the facts before just saying no.

In fact, I'd be happy if all it does is get the discussion to the end-game going. Anything is better than what we currently have in place.

Google Reaches Deal With Connecticut in Data Probe

2011-02-02T22:49:00.003-05:00

From Amir Efrati at the Wall Street Journal,

Connecticut's attorney general said Google Inc. won't have to hand over user data it collected from unsecured wireless networks as part of his office's probe of the Internet giant's privacy snafu.

Attorney General George Jepsen said Friday his office reached a deal with the Internet company that allows him to begin settlement negotiations over whether Google violated state law. Last month Google rejected a subpoena issued by Mr. Jepsen's predecessor, Richard Blumenthal, to hand over data the company collected when its Street View cars were within range of unsecured wireless Internet hotspots.

Google's world-wide fleet of Street View cars for years collected images of streets that are used in the company's online mapping service. But they also scanned for wireless networks in order to beef up certain mobile-device applications that help pinpoint the location of users. In some cases the cars inadvertently collected personal information such as email addresses and passwords, Google said last year.

As part of the deal with Connecticut, Google said it wouldn't contest the fact that its Street View cars had collected private user information including URLs of requested Web pages, partial or complete email communications or other information in 2008 and 2009, according to Mr. Jepsen.

A Google spokeswoman reiterated the company's statements that it is "profoundly sorry" for having mistakenly collected payload data from unencrypted wireless networks.

"As soon as we realized what had happened, we stopped collecting all Wi-Fi data from our Street View cars and immediately informed the authorities," she said. "We did not want and have never used the payload data in any of our products and services. We want to delete this data as soon as possible and will continue to work with the authorities to determine the best way forward, as well as to answer their further questions and concerns."

Mr. Jepsen said he is leading a 40-state coalition that is examining the issue, and that he is prepared to file a lawsuit if settlement talks break down.

The Federal Communications Commission said in November it was probing whether Google broke federal law in collecting consumer data via Wi-Fi networks. Another agency, the Federal Trade Commission, previously ended its probe and said Google had taken sufficient steps to prevent a recurrence.

When the mistakes became known earlier this year, Google initially said a review of the data it collected showed it captured fragments of data but later said it also had more-complete pieces of information about Internet users.

Google has said it doesn't believe it broke U.S. law, and the matter has been a bigger problem for the company outside the U.S., where it is facing probes in countries such as Germany, South Korea, and France. It has shown to regulators some of the data it collected.

Facebook pwns Firesheep

2011-01-30T18:56:00.002-05:00

From Facebook.com,

Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page.

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future

House Considers Mandating Internet Data Retention For Crime Solving

2011-01-30T18:54:00.000-05:00

ABC News' Mary Bruce reports:

Criminal investigations are “being frustrated” because internet providers are not required by law to retain information on what their customers are doing online, the Department of Justice testified before a House hearing today.

“The gap between providers retention practices and the needs of law enforcement can be extremely harmful to investigations that are critical to protecting the public from predators,” Justice Department Deputy Assistant Attorney General Jason Weinstein told a House Justice Committee hearing on “data retention as a tool for investigating internet child pornography and other internet crimes.”

“The lack of adequate, uniform and consistent data retention policies threatens our ability to use the legal tools Congress has provided to law enforcement to protect public safety,” he said.

While some internet providers voluntarily retain user data for months or years, others do not retain data at all. Under current law, officers can issue subpoenas, court orders and search warrants to require an internet service provider to hand over user data. The problem, Weinstein testified, is that “those authorities are only useful if the data is still in existence at the time the government seeks to obtain it.”

Judiciary Committee Chair Rep. Lamar Smith, R-Texas, agreed. “When law enforcement officers do develop leads that might ultimately result in saving a child or apprehending a pornographer, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them. Every piece of discarded information could be the footprint of a child predator,” he said.

Other committee members and the Internet Service Provider Association expressed concern, however, that retaining internet data could infringe on users’ privacy.

“A data retention mandate would raise a number of serious privacy and free speech concerns… Congress should be very hesitant to require service providers to create databases to track the internet activities of 230 million innocent Americans,” said John Morris, General Counsel for the Center for Democracy and Technology.

Florida Democrat Rep. Debbie Wasserman Schultz reiterated “this is not about watching or tracking people’s behavior online… it’s about helping law enforcement connect the dots.”

Beyond privacy concerns, Morris argued that requiring internet providers to extend their data retention for longer periods would be so cost prohibitive that it would harm competition, innovation and ultimately internet users.

Kate Dean, the Executive Director of the Internet Service Provider Association, questioned how companies would keep track of a growing amount of personal user data.

“We’re dealing with people’s lives and liberty here and out of all of this data we have to make sure that, say 18 months down the road, that tiny particular piece of information is exactly the right information linking that exact target,” she said.

Looking ahead, Rep. Jim Sensenbrenner, R-Wis., asked Dean if, in place of a Congressional mandate, her member companies would be willing to come together and develop their own voluntary compliance order.

“I am a firm believer in carrots and sticks and I am tossing you a carrot now… If you aren’t a good rabbit and don’t start eating the carrot, I’m afraid that we’re all going to be throwing the stick at you. So this is an opportunity for you to come up with some kind of a solution,” Sensenbrenner said.

Dean said the Association would be willing to sit down with all parties involved and take an active role in a larger dialogue.

Egypt Disconnected

2011-01-30T17:59:00.003-05:00

Image courtesy of Craig Labovitz - the chief scientist at Arbor Networks.

Egypt's ability to cut itself of from the Internet helps demonstrates that nation-states still do have some ability to control the free flow of information in the digital age.

Internet ‘Kill Switch’ Legislation Back in Play

2011-01-30T17:55:00.002-05:00

From David Kravets at Wired's Threat Level Blog,

The resurgence of the so-called “kill switch” legislation came the same day Egyptians faced an internet blackout designed to counter massive demonstrations in that country.

The bill, which has bipartisan support, is being floated by Sen. Susan Collins, the Republican ranking member on the Homeland Security and Governmental Affairs Committee. The proposed legislation, which Collins said would not give the president the same power Egypt’s Hosni Mubarak is exercising to quell dissent, sailed through the Homeland Security Committee in December but expired with the new Congress weeks later.

The bill is designed to protect against “significant” cyber threats before they cause damage, Collins said.

“My legislation would provide a mechanism for the government to work with the private sector in the event of a true cyber emergency,” Collins said in an e-mail Friday. “It would give our nation the best tools available to swiftly respond to a significant threat.”

The timing of when the legislation would be re-introduced was not immediately clear, as kinks to it are being worked out.

An aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.

An example, the aide said, would require infrastructure connected to “the system that controls the floodgates to the Hoover dam” to cut its connection to the net if the government detected an imminent cyber attack.

What’s unclear, however, is how the government would have any idea when a cyber attack was imminent or why the operator wouldn’t shutter itself if it detected a looming attack.

About two dozen groups, including the American Civil Liberties Union, the American Library Association, Electronic Frontier Foundation and Center for Democracy & Technology, were skeptical enough to file an open letter opposing the idea. They are concerned that the measure, if it became law, might be used to censor the internet.

“It is imperative that cyber-security legislation not erode our rights,” (.pdf) the groups wrote last year to Congress.

A congressional white paper (.pdf) on the measure said the proposal prohibits the government from targeting websites for censorship “based solely on activities protected by the First Amendment of the United States Constitution.”

Oddly, that’s exactly the same language in the Patriot Act used to test whether the government can wiretap or investigate a person based on their political beliefs or statements.

A couple thoughts on this bill:

- what are the implications for our digital privacy? in order to detect cyber threats is intrusive monitoring of the internet required?
- and why the *#$! would the hoover dam need to be connected to the Internet?

Cybergang infects all ATMs in Russian city

2010-12-06T09:11:00.001-05:00

from help net security ...

A group of fraudsters has been arrested in Yakutsk and Moscow for allegedly compromising all the ATMs in the city of Yakutsk - population: around 210,000 - in the Republic of Yakutia in the Russian Federation.

Three of the men formed the actual criminal group, and the fourth - a Moscow-based malware developer - was "subcontracted" by them and received 100,000 rubles (some $3200) to develop a a custom ATM virus with which they would infect the devices.

Every man had his role in the operation: one who used to work as a head of an IT department obtained access to the ATMs, the second one - a system administrator - infected them, and the third one was supposedly intended to be the money mule.

According to the press release (Google translation) issued by the Ministry of Internal Affairs' cybercrime division, a coordinated raid of the three's apartments led to their arrest and the confiscation of copies of the malware and credit card information that - according to the investigators - they didn't have time to take advantage of.

The malware author was arrested in Moscow a week after. All four have been detained and will likely be charged for creation, use and distribution of malicious computer programs, and hopefully fraud.

this is not good .....

Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

2010-11-18T05:25:00.000-05:00

From the National Defense Magazine ...

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terabytes of data after the traffic entered China.

The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship Nov. 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.”

Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”

The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes April 8, China Telecom Corp. told many ISPs of the world that its routes were the best paths to send traffic.

For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data routed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.

This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect.

Also, the list of hijacked data just happened to include preselected destinations around the world that encompassed military, intelligence and many civilian networks in the United States and other allies such as Japan and Australia, he said. “Why would you keep that list?” Alperovitch asked.

The incident involved 15 percent of Internet traffic, he stressed. The amount of data included in all these packets is difficult to calculate. The data could have been stored so it could be examined later, he added. “Imagine the capability and capacity that is built into their networks. I’m not sure there was anyone else in the world who could have taken on that much traffic without breaking a sweat,” Alperovitch said.

McAfee has briefed U.S. government officials on the incident, but they were not alarmed. They said their Internet communications are encrypted. However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited.

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.

“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.

No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch noted. “It did not make mainstream news because it is so esoteric and hard to understand,” he added. It is not defined as a cyberattack because no sites were hacked or shut down. “But it is pretty disconcerting.”

And the hijacking took advantage of the way the Internet operates. “It can happen again. They can do it tomorrow or they can do it in an hour. And the same problem will occur again.”

The Plan To Quarantine Infected Computers

2010-11-15T06:31:00.001-05:00

From Bruce Schneier's column at Forbes Magazine ...

Last month Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update users' computers so they could rejoin the greater Internet.

This isn't a new idea. Already there are products that test computers trying to join private networks, and only allow them access if their security patches are up-to-date and their antivirus software certifies them as clean. Computers denied access are sometimes shunned to a limited-capability sub-network where all they can do is download and install the updates they need to regain access. This sort of system has been used with great success at universities and end-user-device-friendly corporate networks. They're happy to let you log in with any device you want--this is the consumerization trend in action--as long as your security is up to snuff.

Charney's idea is to do that on a larger scale. To implement it we have to deal with two problems. There's the technical problem--making the quarantine work in the face of malware designed to evade it, and the social problem--ensuring that people don't have their computers unduly quarantined. Understanding the problems requires us to understand quarantines in general.

Quarantines have been used to contain disease for millennia. In general several things need to be true for them to work. One, the thing being quarantined needs to be easily recognized. It's easier to quarantine a disease if it has obvious physical characteristics: fever, boils, etc. If there aren't any obvious physical effects, or if those effects don't show up while the disease is contagious, a quarantine is much less effective.

Similarly, it's easier to quarantine an infected computer if that infection is detectable. As Charney points out, his plan is only effective against worms and viruses that our security products recognize, not against those that are new and still undetectable.

Two, the separation has to be effective. The leper colonies on Molokai and Spinalonga both worked because it was hard for the quarantined to leave. Quarantined medieval cities worked less well because it was too easy to leave, or--when the diseases spread via rats or mosquitoes--because the quarantine was targeted at the wrong thing.

Computer quarantines have been generally effective because the users whose computers are being quarantined aren't sophisticated enough to break out of the quarantine, and find it easier to update their software and rejoin the network legitimately.

Three, only a small section of the population must need to be quarantined. The solution works only if it's a minority of the population that's affected, either with physical diseases or computer diseases. If most people are infected, overall infection rates aren't going to be slowed much by quarantining. Similarly, a quarantine that tries to isolate most of the Internet simply won't work.

Fourth, the benefits must outweigh the costs. Medical quarantines are expensive to maintain, especially if people are being quarantined against their will. Determining who to quarantine is either expensive (if it's done correctly) or arbitrary, authoritative and abuse-prone (if it's done badly). It could even be both. The value to society must be worth it.

It's the last point that Charney and others emphasize. If Internet worms were only damaging to the infected, we wouldn't need a societally imposed quarantine like this. But they're damaging to everyone else on the Internet, spreading and infecting others. At the same time, we can implement systems that quarantine cheaply. The value to society far outweighs the cost.

That makes sense, but once you move quarantines from isolated private networks to the general Internet, the nature of the threat changes. Imagine an intelligent and malicious infectious disease: That's what malware is. The current crop of malware ignores quarantines; they're few and far enough between not to affect their effectiveness.

If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine. So instead of nontechnical users not bothering to break quarantines because they don't know how, we'd have technically sophisticated virus-writers trying to break quarantines. Implementing the quarantine at the ISP level would help, and if the ISP monitored computer behavior, not just specific virus signatures, it would be somewhat effective even in the face of evasion tactics. But evasion would be possible, and we'd be stuck in another computer security arms race. This isn't a reason to dismiss the proposal outright, but it is something we need to think about when weighing its potential effectiveness.

Additionally, there's the problem of who gets to decide which computers to quarantine. It's easy on a corporate or university network: the owners of the network get to decide. But the Internet doesn't have that sort of hierarchical control, and denying people access without due process is fraught with danger. What are the appeal mechanisms? The audit mechanisms? Charney proposes that ISPs administer the quarantines, but there would have to be some central authority that decided what degree of infection would be sufficient to impose the quarantine. Although this is being presented as a wholly technical solution, it's these social and political ramifications that are the most difficult to determine and the easiest to abuse.

Once we implement a mechanism for quarantining infected computers, we create the possibility of quarantining them in all sorts of other circumstances. Should we quarantine computers that don't have their patches up to date, even if they're uninfected? Might there be a legitimate reason for someone to avoid patching his computer? Should the government be able to quarantine someone for something he said in a chat room, or a series of search queries he made? I'm sure we don't think it should, but what if that chat and those queries revolved around terrorism? Where's the line?

Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software.The music and movie industry will want to quarantine anyone it decides is downloading or sharing pirated media files--they're already pushing similar proposals.

A security measure designed to keep malicious worms from spreading over the Internet can quickly become an enforcement tool for corporate business models. Charney addresses the need to limit this kind of function creep, but I don't think it will be easy to prevent; it's an enforcement mechanism just begging to be used.

Once you start thinking about implementation of quarantine, all sorts of other social issues emerge. What do we do about people who need the Internet? Maybe VoIP is their only phone service. Maybe they have an Internet-enabled medical device. Maybe their business requires the Internet to run. The effects of quarantining these people would be considerable, even potentially life-threatening. Again, where's the line?

What do we do if people feel they are quarantined unjustly? Or if they are using nonstandard software unfamiliar to the ISP? Is there an appeals process? Who administers it? Surely not a for-profit company.

Public health is the right way to look at this problem. This conversation--between the rights of the individual and the rights of society--is a valid one to have, and this solution is a good possibility to consider.

There are some applicable parallels. We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians. The small number of parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population. We all suffer when someone on the Internet allows his computer to get infected. How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having.

Anatomy Of An Attempted Malware Scam

2010-11-15T05:24:00.002-05:00

I stumbled across this fascinating inside account of how cyber criminals infiltrate online advertising by Julia Casale-Amorim of Castle Media. Try not to get lost in the technical jargon of the advertising world and instead focus on the criminal's cleverness and level of effort.

The display media segment is the newest target of malvertising, the latest trend in online criminal methodology. The problem has escalated in recent months and despite many suppliers' best efforts, it continues to grow. The culprits behind many of these attacks are based in foreign states leaving little course to take action. While the best defense against malvertising is to prevent it from happening in the first place, this has proven to be a challenge for even the most astute publishers, networks and the like.

We were recently the targets of one such attempt, and while it certainly wasn't the first "fake agency" we've been besieged by (and that we've successfully stopped), it is one of the most organized efforts we've encountered so far. Below we've outlined the approach that was used and the findings of our investigation as an FYI to others who may be on the target list.

If there's anything we've learned since the practice of malvertising has surfaced (and has since proliferated), it's that you can't be too detailed with your client background checks and creative reviews. We've always been big on our screening procedures, and these days it's proving to be an increasingly valuable practice. Malvertising reflects negatively on the entire online media industry and the onus has to fall on us (suppliers) to put a stop to it. So, we want to share our learnings here for the greater community to hopefully benefit from.

Here is a breakdown of the approach used by the individuals behind our most recent malware experience, how we caught them, and the findings of our subsequent investigation. We've also highlighted some pink flags (and the ultimate red flag) that came up along the way, as well as our key takeaways from the experience including some of the steps we now have in place (and which you may want to consider implementing) to help us identify similar perpetrators sooner than later.

Initial contact, proposal and campaign review

The culprits approached us in early July representing themselves as an agency looking to place a campaign for both a big name charity and a travel client (we are omitting names to protect their brands from being associated with this scam. We have no reason to believe they were involved). Following our proposal phase, "Bellas," informed us that the big name charity was still "undergoing approval phase", but that their travel client had approved a test on our network and wanted to proceed.

(Pink flag: while not completely implausible, it is rare for an unknown agency to bring one or more large brands to the table, let alone doing so without first undergoing a formal RFI/RFP process.)

Despite the pink flag, we proceeded, and because we had never worked with this agency before, we began by processing their request for credit. Each of the references provided had professionally produced websites and unique phone numbers -- nothing at the surface level that would raise any suspicion. The bank reference was real (a real bank, that is) and the phone number provided worked. The information we requested was supplied to us in an official, expected manner. Nothing out of the ordinary here.

All three references we contacted provided prompt and friendly responses and each reported that they had been doing business with Bellas for anywhere between two years and six months at fairly respectable sums.

For added assurance, the "fake agency" supplied us with a PDF which was represented as an official document of incorporation.

With no glaring reason to deny, we approved their application for limited starter credit and proceeded to the next step, campaign setup.

Campaign Setup and QA

The campaign's goals were a little unusual for what we would typically consider to be a direct response advertiser:

We are really focused on reach and unique viewers optimizations. Thus tight frequency cap like 1/24 or 1/48 can work. CTR is secondary goal at this point. A lot of people don't know much about client services and we want to cover every single possible customer.

We logged their goals and rationale. We also noted them as a pink flag. The proprietors of these scams typically focus more on unique reach and frequency than on targeting, audience or optimization - a focus that, in general terms, is most unusual for the average online advertiser. Of course, in hindsight, their interest in unique reach stemmed from their desire to infect across the widest possible net.

On our initial request for creative, "Bellas" provided us with a set of third-party tags, which were rejected because they were not from one of our certified ad serving vendors.

We were then provided with raw creative files. While the creative were clean (i.e. no malicious code), there were some minor design flaws including missing borders and file sizes that exceed our standard maximums. We informed them of these issues and they responded:

We are currently run[ning] with AOL and Yahoo (including comscore 1-150 pubs) and they are cool.

Hum, really? AOL and Yahoo have some of the strictest ad specs around...(pink flag).

After some lengthy back and forth about the creative revisions...

We are not able to reduce creative size without sacrificing quality. If you cannot run creative size more than 20kb -- we can host. If not -- we wont be able to proceed with campaign.

"Bellas," at that point, requested that we run an impression tracking URL. The "OpenX" URL provided to us was flagged during our QA review, another pink flag; the formatting and characters were not consistent with the standard employed by OpenX. We informed Bellas that to use the URL we would need to perform a few modifications to make it consistent with the standard. We provided an example of the modified URL and then received the following responses:

I have contacted OpenX support to find out. Meanwhile I got another pixel for you. We have used it with our hosted campaigns and it worked wonders.

Client prefers Eyeblaster tracking URL (their ad server). Would be cool if you can implement. If not -- OpenX is perfectly fine.

Next, Bellas, informed us of the "response" they received from "OpenX support" and then supplied us with a new pixel to use.

"Hi Henry. Looks like Casale runs , which is NOSCRIPT part of the code, instead of JS pixel (script part), that affects reporting a bit and you cannot add any additional tracking code." Are you able to implement JS OpenX pixel or Eyeblaster pixel directly? Alternatively, we can provide tags.

After informing "Bellas" that we would forward the new pixel to our traffic team for evaluation, we received the following response...

Client have sent another pixel, from zedo.

Pink flag. So now we have a client who wanted to serve through OpenX, then Eyeblaster, and now Zedo? Really? We reviewed the Zedo tracking URL and asked for confirmation about a few details since it did not conform to the ad server's standard. They replied,

For JS pixel to work properly, you need to load is exactly like that ... Will work.

Red flag! The set of tags provided were imitation tags. We ended discussions with the client at this point since things were just not adding up, and launched a detailed investigation to confirm our suspicions.

During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed to be in operation since 1994, despite the fact that the domain was registered in April of this year.

In Summary

Entities like this are cunning and smart. Their scams are well thought through and executed. The best defence against them is rigorous proactive screening. You have to be really, really astute. Question everything. These guys know the industry lingo, procedures and have created a false environment designed specifically to validate their non-existence. Even the most insignificant detail can be a huge clue.

Our Lessons Learned and Advice for Others

Perform independent fact checking.
Don't take the information provided to you on bank/credit reference applications at face value. Perform a few spot checks to validate the sources. If, when we looked up the bank reference, we had cross referenced the phone number provided by Bellas with the numbers listed on the bank's website, we would have exposed a major crack in their armour upfront, which would have saved us a lot of wasted time and effort.

Research. Then research some more.
Make it SOP to do research on not only the agency in question, but the credit references provided to you. Search for them online, do a WHOIS lookup on the domains, ask around. Make certain that everything adds up. You can't be too cautious.

When the going gets tough...
If a client is difficult to work with, there's probably a reason for it. Standards exist for a reason. Any account that is operating outside the norms should register as an immediate red flag to you. Issues surrounding pixels, creative design, obsession over going live too quickly with no sound rational or justification...any of these examples should set alarm bells off in your head!
Be suspicious.

Perception is selective. It's natural for small details to escape us when we're not on guard or actively looking for something. It's also easy to get overly comfortable with the mechanics of a standard procedure. If you approach every new account with suspicion, you'll be far more aware of any detail that may seem out of place.

Don't assume. Question and verify.
Certify third party ad servers that you are willing to deliver through, and keep clear lines of communication open with them at all times. Store tag templates and use them in your QA/review process. If a tag deviates from the standard template that you typically see from a third party ad server, escalate to them for an opinion. Never assume that the template has changed, always question it.

Re-examine critical points in your new account process.
When an account is new, consider minimizing the involvement of your sales staff in the review and verification process. In some cases, a sales person's thirst for new revenue can hamper their nose for suspicious behavior.

USAA Credential Phishing

2010-11-14T20:50:00.002-05:00

Security company M86 blogs about a sophisticated phishing attack targeting members of the USAA. Would you have spotted this attack?

Today we started seeing a new phishing campaign which is being sent by the Cutwail spambot, targeting customers of the United States Automobile Association (USAA). Cutwail is the spamming component installed by the Pushdo botnet. The phishing emails ask the recipient to fill out a ‘confirmation form’ which they can access by clicking on a link in the message.

To hide the URL of the phishing web page, these emails contain a link to one of several different URL shortening services such as http://bit.ly which redirect the browser to the actual phishing page.

The link ‘Access USAA Confirmation Form’ in the spam email above points to http://bit . ly/agWGNG. When we tested this link, bit.ly had already determined that there may be a problem with the URL it was redirecting to and displayed a warning page rather than redirecting us to the phishing page.

If we choose to ignore this warning and continue to the un-shortened URL, we end up at the page below, a phishing website aimed at stealing information from USAA members. This page, titled ‘Cardholder Form’, asks the user to provide information such as their online ID, password, name, card number, card security code and PIN. When the user clicks the submit button all of the details are sent to the criminals’ server and the users’ browser is redirected to the real USAA website.

For now, this phishing site, which is hosted on the domain vsdfile (dot) ru is not serving up any malicious content. The USAA provides a banking and credit card service which may be the intended target of these criminals once they have tricked a customer into divulging their cardholder details.

We have not seen one of these large scale phishing campaigns from Cutwail for some time, as the cybercriminals switched to spamming out links to the data-stealing Zeus malware. With the recent high profile arrests of several Zeus perpetrators, and all the subsequent public attention on Zeus, maybe phishing, where you politely ask for data instead of stealing it, will come back in fashion?

Pentagon is debating cyber-attacks

2010-11-14T20:36:00.003-05:00

Fascinating article by the Washington Post's Ellen Nakashima detailing the policy debate surrounding the use of offensive cyber warfare. Some interesting excerpts from the article include ...

Cyber Command's chief, Gen. Keith B. Alexander, who also heads the National Security Agency, wants sufficient maneuvering room for his new command to mount what he has called "the full spectrum" of operations in cyberspace.

Offensive actions could include shutting down part of an opponent's computer network to preempt a cyber-attack against a U.S. target or changing a line of code in an adversary's computer to render malicious software harmless. They are operations that destroy, disrupt or degrade targeted computers or networks.

But current and former officials say that senior policymakers and administration lawyers want to limit the military's offensive computer operations to war zones such as Afghanistan, in part because the CIA argues that covert operations outside the battle zone are its responsibility and the State Department is concerned about diplomatic backlash.

The administration debate is part of a larger effort to craft a coherent strategy to guide the government in defending the United States against attacks on computer and information systems that officials say could damage power grids, corrupt financial transactions or disable an Internet provider.

The effort is fraught because of the unpredictability of some cyber-operations. An action against a target in one country could unintentionally disrupt servers in another, as happened when a cyber-warfare unit under Alexander's command disabled a jihadist Web site in 2008. Policymakers are also struggling to delineate Cyber Command's role in defending critical domestic networks in a way that does not violate Americans' privacy.

Read the full article here.

Mapping Attacks Against Online Banks

2010-11-14T15:27:00.002-05:00

From Krebsonsecurity.com ...

Several readers have asked to be notified if the U.S. map showing recent victims of high-dollar online banking thefts was updated. Below is a (non-interactive) screen shot of the updated, interactive map that lives here. Click the red markers to see more detail about the victim at that location, including a link to a story about the attack.

Attack Severs Burma Internet

2010-11-14T15:15:00.002-05:00

From Arbor Networks ....

Back in 2007, the Burmese government reportedly severed the country’s Internet links in a crackdown over growing political unrest.

Yesterday, Burma once again fell off the Internet. Over the last several days, a rapidly escalating, large-scale DDoS has targeted Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma / Myanmar government (preemptively disrupting Internet connectivity ahead of the November 7 general elections) to external attackers with still mysterious motives. The Myanmar Times reports the attack has been ongoing since October 25th (and adds the attack may impact Burma’s tourist industry).

We estimate the Burma DDoS between 10-15 Gbps (several hundred times more than enough to overwhelm the country’s 45 Mbps T3 terrestrial and satellite links). The DDoS includes dozens of individual attack components (e.g. TCP syn, rst flood) against multiple IP addresses within MPT’s address blocks (203.81.64.0/19, 203.81.72.0/24, 203.81.81.0/24 and 203.81.82.0/24). The attack also appears fairly well-distributed — ATLAS data shows attack traffic across 20 or more providers with a broad range of source addresses.

While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks — especially ones targeting an entire country — remain rare with a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the country) also came under DDoS attacks.

At present I do not know the motives for this attack but our past DDoS analysis have observed the gamut from politically motivated DDoS, government censorship, extortion and stock manipulation. I’ll update this blog if I get more details.

US internet hosts are linchpin of criminal botnets

2010-11-14T10:41:00.001-05:00

From the New Scientist ...

WHILE criminal gangs in Russia and China are responsible for much of the world's cybercrime, many of the servers vital to their activities are located elsewhere. An investigation commissioned by New Scientist has highlighted how facilities provided by internet companies in the US and Europe are crucial to these gangs' activities.

Researchers at Team Cymru, a non-profit internet security company based in Burr Ridge, Illinois, delved into the world of botnets - networks of computers that are infected with malicious software. Millions of machines can be infected, and their owners are rarely aware that their computers have been compromised or are being used to send spam or steal passwords.

Several botnets have been linked to gangs based in Russia, where police have a poor record on tackling the problem. But to manage their botnets these gangs often seem to prefer to use computers, known as command-and-control (C&C) servers, in western countries. More than 40 per cent of the 1500 or so web-based C&C servers Team Cymru has tracked this year were in the US. When it comes to hosting C&C servers, "the US is significantly ahead of anyone else", says Steve Santorelli, Team Cymru's director of global outreach in San Diego.

Santorelli and his colleagues also detected a daily average of 226 C&C servers in China and 92 in Russia. But European countries not usually linked with cybercrime were in a similar range, with an average of 120 C&C servers based in Germany and 64 in the Netherlands.

Internet hosts in western countries appeal to criminals for the same reasons that regular computer users like them, says Santorelli: the machines are extremely reliable and enjoy high-bandwidth connections. Team Cymru's research did not identify which companies are hosting botnet servers, but Santorelli says the list would include well-known service providers.

The use of US-based C&C servers to control botnets is a source of frustration to security specialists, who have long been aware of the problem. It is happening even though most hosting companies shut down C&C servers as soon as they receive details of botnet activity from law enforcement agencies and security firms. "When we see an AT&T address serving as a botnet control point, we take it very seriously," says Michael Singer, an executive director at AT&T.

Despite these efforts, the criminals can quickly re-establish control by setting up a new C&C server with a different company, often using falsified registration information and stolen credit card details.

Hosting companies deal with botnets on a voluntary basis at present. They might be more vigilant if required to act by law, but that would create its own regulatory problems, Santorelli says. "The cops don't run or govern the internet after all, and neither do they want to," he says. For legal controls to work, it would be necessary to define who has the authority to decide whether a server is part of a botnet, and how requests from authorities abroad are dealt with.

Jeffrey Carr of security firm Taia Global, based in Washington DC, says that some less well-known providers have been warned about botnet activity on many occasions, but drag their heels when asked to shut down the criminals' servers.

The problem arises partly because web hosting can be a big earner for some firms. "They're generating millions of dollars in income," says Carr. Improvements in security, such as requiring service providers to verify the details of people who rent server facilities, could well hurt these firms' bottom line.

Nobel Peace Prize, Amnesty HK and Malware

2010-11-14T10:34:00.002-05:00

From Nart Villeneuve at SecDev.cyber ...

There have been two recent attacks involving human rights and malware. First, on November 7, 2010, contagiodump.blogspot.com posted an analysis of a malware attack that masqueraded as an invitation to attend an event put on by the Oslo Freedom Forum for Nobel Peace Prize winner Liu Xiaobo. The malware exploited a known vulnerability (CVE-2010-2883) in Adobe Reader/Acrobat. The Committee to Protect Journalists was hit by the same attack.

On November 10, 2010 Websense reported that website of Amnesty Hong Kong was compromised and was delivering an Internet Explorer 0day exploit (CVE-2010-3962) to visitors. In addition, Websense reports that the same malicious server was serving three additional exploits: a Flash exploit (CVE-2010-2884), a QuickTime exploit (CVE-2010-1799) and a Shockwave exploit (CVE-2010-3653).

The malicious domain name hosting the exploits mailexp.org (74.82.168.10) has been serving malware since Sept. 2010. The domain mailexp.org was registered in May 2010 to y_yum22@yahoo.com. mailexp.org was formerly hosted on 74.82.172.221 which now hosts the Zhejiang University Alumni Association website.

The malware dropped from the Internet Explorer exploit (CVE-2010-3962)
scvhost.txt
MD5: ca80564d93fbe6327ba6b094ae3c0445 VT: 2 /43

The malware dropped from the Flash exploit (CVE-2010-2884)
hha.exe
MD5: 0da04df8166e2c492e444e88ab052e9c VT: 2 /43

The malware dropped from the QuickTime exploit (CVE-2010-1799)
qq.exe
MD5: 3e54f1d3d56d3dbbfe6554547a99e97e VT: 16 /43

The malware dropped from the Shockwave exploit (CVE-2010-3653)
pdf.exe
MD5: 3a459ff98f070828059e415047e8d58c VT: 0/43

Both ca80564d93fbe6327ba6b094ae3c0445 and 3a459ff98f070828059e415047e8d58c perform a DNS lookup for ns.dns3-domain.com, which is an alias for centralserver.gicp.net which resolves to 221.218.165.24 (China Unicom Beijing province network).

The domain name “ns.dns3-domain.com” has been associated with a variety of malware going back to May 2010. This domain name, dns3-domain.com is registered to zhanglei@netthief.net, the developer of the NetThief RAT.

Malware attacks leveraging human rights issues are not new. I have been documenting them for some time (see, Human Rights and Malware Attacks, Targeted Malware Attack on Foreign Correspondent’s based in China, “0day”: Civil Society and Cyber Security). However, one of the issues that Greg Walton and I raised last year, is a trend toward using the real web sites of human rights organizations compromised and as vehicles to deliver 0day exploits to the visitors of the sites – many of whom may be staff and supporters of the specific organization. Unfortunately, we can expect this to continue.

Google Hacking SCADA

2010-11-08T21:14:00.002-05:00

Interesting Tweet from Ruben Santamarta at reversemode.com.

It's not a good idea to expose a SCADA Control Center of Wind Turbines in a public subdomain http://is.gd/gNLts

Basically, Ruben found the login page to an Industrial Control System ... ouch!

You can follow Ruben on Twitter here @reversemode

Metasploit and SCADA exploits: dawn of a new era?

2010-11-08T21:03:00.002-05:00

Courtesy Shawn Merdinger

On 18 October, 2010 a significant event occurred concerning threats to SCADA (supervisory control and data acquisition) environments.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository. Here are some striking facts about this event:

This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.
This exploit was not added to the public Exploit-DB site until 27 October, 2011.
The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.
This is the first SCADA exploit added to Metasploit.
So what are the lessons learned and takeaways from this seminal event?

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Personally, I expect we will see in the next 12 months at least a doubling of the known 16 SCADA vulnerabilities documented in NIST’s National Vulnerability Database.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

I expect SCADA security issues will be the shiny hot topic on the 2011 security and hacker conference circuit, both in the US and abroad.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

And it is worth mentioning that a vendor acknowledging a product security issue is then“on the hook” — so there is incentive for the vendor to dismiss the vulnerability report.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

For a kinetic metaphor, Metasploit is akin to a.50 caliber sniper rifle, and a zero-day SCADA vulnerability is equivalent to a .50 caliber depleted uranium round for that rifle.

As a SCADA end user, what are you to do?

I recommend the following, at a minimum: push your vendors to have a product security POC and process, monitor resources like SCADASEC, keep current with tools like Metasploit, receive vulnerability notifications from appropriate CERT organizations like ICS-CERT.

Avalanche Gang: The Ultimate Bank Robbers?

2010-10-31T21:07:00.002-04:00

From ZDNet ...

This time last year it was being reported that the Avalanche Gang was responsible for around a two thirds of all phishing attacks on the Internet. But Avalanche, described at the time as being "one of the most sophisticated and damaging on the Internet" by the Anti-Phishing Working Group (APWG) was only responsible for a paltry four conventional phishing attacks during the month of July 2010. Which you might think is good news, and it would be were it not for the fact that the Avalanche Gang has not hung up its spurs and given up cyber crime.

At the tail end of last year ZDNet UK reported that the Avalanche Gang, named after the botnet it employs, was collaborating with the people behind the Zeus botnet. Back then, in December 2009, Vincent Hanna who was employed as an investigator for the Spamhaus Project told ZDNet UK that the gangs behind Avalanche and Zeus were using each other's infrastructure on a purely commercial basis: "We see that the same viruses are emitting mails that benefit [the] different groups, either through spammed URLs or attached malware."

Fast forward to now, and it looks like the Avalanche Gang has completed its transition from conventional phishing and spam outfit to the world's biggest bank robbers. According to the latest APWG research, Avalanche has "moved from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials."

The Avalanche Gang has been slowly ramping up a concerted campaign of crimeware propagation in order to con victims into getting infected by Zeus. Well, I say slowly, but everything is relative: according to the APWG research Avalanche has been sending billions of faked messages from tax authorities, false alerts/updates purporting to be from popular social networking sites, and other scams designed to deliver marks to drive-by download sites.

I have heard nothing to suggest that there is any evidence that Operation Trident Breach, an international effort involving the FBI and the Metropolitan Police as well as other law enforcement agencies around the world and which has so far led to the arrest of 150 people involved with the Zeus operation, has actually led to any arrests of Avalanche Gang members.

As Rod Rasmussen, co-author of the APWG research report, says: "Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing." With Zeus being responsible for hundreds of millions of pounds worth of theft to date, and no Avalanche arrests making the headlines, that would make the Avalanche Gang the most successful bank robbers in history.

China Has Ability to Hijack U.S. Military Data, Report Says

2010-10-31T20:55:00.000-04:00

From Jeff Bliss and Tony Capaccio at Bloomberg ...

China in the past year demonstrated it can direct Internet traffic, giving the nation the capability to exploit “hijacked” data from the U.S. military and other sources, according to a new report.

Recent actions raise questions that “China might seek intentionally to leverage these abilities to assert some level of control over the Internet,” according to excerpts from the final draft of an annual report by the U.S.-China Economic and Security Review Commission. “Any attempt to do this would likely be counter to the interests of the United States and other countries.”

On April 8, China Telecom Corp., the nation’s third-largest mobile-phone company, instructed U.S. and other foreign-based Internet servers to route traffic to Chinese servers, the report said. The 18-minute re-routing included traffic from the U.S. military, the Senate and the office of Defense Secretary Robert Gates.

“Although the commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications,” the report said. The re-routing showed how data could be stolen and communications with websites could be disrupted, the report said.

Read more here ...

iPwned!

2010-10-31T20:47:00.001-04:00

From the MacRumors forum ...

When you iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###. Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc.

My iPhone is jailbroken so that could be causing it. Can anyone confirm that it works on non-jailbroken iPhones?

Check out a video demo

Bug no iOS 4.1 from Salomão Filho on Vimeo.

stuxnet: targeting the iranian enrichment centrifuges in Natanz?

2010-10-31T20:43:00.001-04:00

From Frank Rieger's blog ...

I did a writeup of the stuxnet story so far for the large german newspaper Frankfurter Allgemeine Zeitung (FAZ), out in print today (now also online here ). Unfortunatelly the page-one teaser image chosen by the frontpage editor is outright silly, and the picture chosen by the FAZ for the main piece is the reactor in Bushehr, as the facility in Natanz is optically less attractive. But, hey, the story is what counts. I want to comment on some of the more detailed aspects here, that were not fit for the more general audience of the FAZ, and also outline my reasoning, why I think stuxnet might have been targeted at the uranium centrifuges in Natanz, instead of Bushehr as guessed by others.

stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossile Windows 2000 to the most modern and supposedly secure Windows 7.

The stuxnet software is exceptionally well written, it makes very very sure that nothing crashes, no outward signs of the infection can be seen and, above all, it makes pretty sure that its final payload, which manipulates parameters and code in the SPS computer is only executed if it is very certain to be on the right system. In other words: it is extremly targeted and constructed and build to be as side-effect free as humanly possible. Words used by reverse engineers working on the the thing are “After 10 years of reverse-engineering malware daily, I have never ever seen anything that comes even close to this”, and from another “This is what nation states build, if their only other option would be to go to war”.

Industrial control systems, also called SCADA, are very specific for each factory. They consist of many little nodes, measuring temperature, pressure, flow of fluids or gas, they control valves, motors, whatever is needed to keep the often dangerous industrial processes within their safety and effectiveness limits. So both the hardware module configuration and the software are custom made for each factory. For stuxnet they look like an fingerprint. Only if the right configuration is identified, it does more then just spreading itself. This tells us one crucial thing: the attacker knew very precisely the target configuration. He must have had insider support or otherwise access to the software and configuration of the targeted facility.

I will not dive very much into who may be the author of stuxnet. It is clear that it has been a team effort, that a very well trained and financed team with lots of experience was needed, and that the ressources needed to be alocated to buy or find the vulnerabilities and develop them into the kind of exceptional zero-days used in the exploit. This is a game for nation state-sized entities, only two handful of governments and maybe as many very large corporate entities could manage and sustain such an effort to the achievment level needed to build stuxnet. As to whom of the capable candidates if could be: this is a trip into the Wilderness of Mirrors. False hints are most likely placed all over the place, so it does not make much sense to put much time into this exercise for me.

Regarding the target, things are more interesting. There is currently a lot of speculation that the Iranian reactor at Bushehr may have been the target. I seriouly doubt that, as the reactor will for political reasons only go on-line when Russia wants it to go on-line, which they drag on for many years now, to the frustration of Iran. The political calculations behind this game are complex and involve many things like the situation in Iraq, the US withdrawal plans and Russias unwillingness to let the US actually have free military and political bandwith to cause them trouble in their near abroad.

But there is another theory that fits the available date much better: stuxnet may have been targeted at the centrifuges at the uranium enrichment plant in Natanz. The chain of published indications supporting the theory starts with stuxnet itself. According to people working on the stuxnet-analysis, it was meant to stop spreading in January 2009. Given the multi-stage nature of stuxnet, the attacker must have assumed that it has reached its target by then, ready to strike.

Read more here ...

Indian OS

2010-10-31T20:35:00.001-04:00

From Bruce Schneier ...

India is writing its own operating system so it doesn't have to rely on Western technology:

India's Defence Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won't have to rely on Western operating systems that it thinks aren't up to the job of thwarting cyber attacks. The DRDO specifically wants to design and develop its own OS that is hack-proof to prevent sensitive data from being stolen.

On the one hand, this is great. We could use more competition in the OS market -- as more and more applications move into the cloud and are only accessed via an Internet browser, OS compatible matters less and less -- and an OS that brands itself as "more secure" can only help. But this security by obscurity thinking just isn't true:

"The only way to protect it is to have a home-grown system, the complete architecture ... source code is with you and then nobody knows what's that," he added.

The only way to protect it is to design and implement it securely. Keeping control of your source code didn't magically make Windows secure, and it won't make this Indian OS secure.

The militarization of the Internet

2010-10-31T20:30:00.001-04:00

Interesting thoughts on the militarization of the Internet from Susan Crawford ...

Someone needs to take a good hard look at those Internet surveillance stories being strategically placed on the front page of the New York Times.

There’s a trail here, I believe, that’s worth following. Here are some data points:

1. Cyberattack - there appears to be a deep interest in the ability to declare war online, as evidenced by cybersecurity research and public speeches by Herbert Lin, a key player who has worked on several cybersecurity reports for the National Research Council. Ethan Zuckerman has summarized a presentation by Lin, which included the following paraphrase of Lin’s remarks:

If we’re interested in pre-empting cyber attack, “you need to be in the other guy’s networks.” But that may mean breaking into the home computers of US citizens. To the extent that cloud computing crosses national borders, perhaps we’re attacking computers in multiple jurisdictions. Lin wonders whether a more authenticated internet will actually help us to pre-empt attack. And he reminds us that US Strategic Command asserts authorization to conduct “active threat neutralization” – i.e., logging into your machine to stop an attack in progress. . . .

Dr. Lin notes that it’s not a violation of international law to collect intelligence abroad. It’s possible to engage in covert action as regulated by US statute. And there’s an array of possible responses the US could launch in response to cyberattack (Lin pauses to note that he’s not advocating any of these) – we could attack enemy air defenses, hack their voting machines to influence an election, conduct campaigns of cyberexploitation to spy within those nations. Given all this, aren’t nations entitled to fear the consequences of a “free and open” internet? Might they reasonably choose to tighten national control over the internet?

2. A “more authenticated Internet” would obviously include using the leverage provided by network operators to permit only fully-authorized, identified machines to connect. The ability to remotely disconnect machines or devices until they are cleansed is now within reach for federal networks - this same capability will inevitably spread to private connections.

3. A “more authenticated Internet” would also include more-easily tappable applications as well as machines. That’s what FBI Director Mueller is talking about in this video at 3:29.

4. There must be deep stress inside the USG re what the overall public position of the Administration will be on enhancing surveillance, authentication, and the ability to declare war online. Secretary Clinton’s “Internet Freedom” speech of January 2010 made clear that the free flow of information online is an important component of the nation’s foreign policy.

5. Given this stress, the agencies that are most interested in forwarding cyberattack abilities, surveillance, guaranteed back doors for encrypted communications, and all the other trappings of a “more authenticated Internet” have an interest in portraying their vision of the future Internet as inevitable. Part of that campaign would logically be to get the story into the mainstream media.

6. So, here we go - another front-page story yesterday in The Times: “Officials Push to Bolster Law on Wiretapping.” This is a hugely contentious issue. Should law enforcement be able to require all technologies online to have “back doors” allowing officials to (essentially) require that the same information be produced to them that was produced during the circuit-switched telephone era?
7. The Internet is not the same thing as a telephone network. It’s a decentralized agreement to route packets of information to particular addresses. It has made possible unparalleled innovation, free speech, and improvements to human lives around the world. Retrofitting it to make it fit law enforcement’s (or national security’s) “authentication” needs would be an enormous, retrograde step.
But it would certainly help us wage war online.

Bredolab botnet shut down

2010-10-31T20:18:00.002-04:00

From F-Secure ...

The Dutch National Crime Squad has announced a major takedown. The people behind the botnet have not been caught, but the servers (hosted in LeaseWeb IP space) have been taken over, effectively shutting down the botnet.

Bredolab is a large family of complicated, polymorphic trojans. They have been distributed via drive-by-downloads and email. Bredolab is known to be connected to email spam campaigns and rogue security products. And the size of the botnet was massive: over 30 million infected computers and close to 150 command & control servers.

Interestingly, the crime squad has announced that they will be sending a warning to infected PCs: "Users of computers with viruses from this network will receive a notice of at the time of next login with information on the degree of infection."

So they will probably use the existing botnet infrastructure to send a program to all infected machines, showing them a warning.

This is rarely done because running code on somebody else's computer might be seen as "unauthorized use", possibly making it illegal - although the intentions are obviously good.

Here's a video with more information (Severe warning! It is in Dutch).

Updated to add: The Dutch police is redirecting Bredolab-infected computers to this help page.

Updated to add: A 27-year old man has been arrested in Armenia. He is under investigation for being one of the operators behind Bredolab.

When You Think You Surf Anonymously But You Don’t

2010-10-28T06:16:00.002-04:00

From Roman Huessy at Abuse.ch ...

Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network.

Roman continues,

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5’000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

You don’t know who run these proxies
You don’t know if these proxies are secure and clean from any malware and drive-bys
You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)
Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

Ministry of Foreign Affairs
Ministry of Finance
Ministry of Economy
Ministry of Statistics
Ministry of Administration and Interior
Ministry of Industry
Ministry of Interior and Justice
Ministry of Labour and Social Policy
Ministry of Social Development
Department of Defense
Department of Atomic Energy
Department of Health
Department of Science and Technology
Department of Home Affairs
Department of Water Affairs and Forestry
Department of Environment and Conservation
National Labratory
National Police Service
Residence of the President
Atomic Energy Comission
Centre for Atomic Research
State police
National Telecommunications Commission
Supervision and Administration Commission
State-owned news agency
Various Military Test- and Command Centres around the globe
Various networks which are just named as “Government of xxxx”

And Roman hammers his point home,

As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

Glype- (and other script based proxies) aren’t really anonymous
You don’t know who runs these proxies
Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
But there are many users from governmental and military organizations using those proxies too
In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?

Transatlantic Views of Privacy

2010-10-28T06:09:00.002-04:00

From Cecilia Kang at the Washington Post ...

The federal government has ended an inquiry into a privacy breach involving Google's Street View service, satisfied with the company's pledge to stop gathering e-mail, passwords and other information from residential WiFi networks as it rolls through neighborhoods.

Wednesday's decision by the Federal Trade Commission is a sharp contrast with the reaction of regulators in Europe. The United Kingdom has launched a new investigation into Google's collection of unencrypted WiFi data, exposing the company to potential fines. Germany told Google to mark its Street View cars that take pictures of neighborhoods and homes. The Czech Republic banned Google from expanding its mapping software program.

The differences highlight an increasing gap between regulators in the United States, where the freewheeling Internet culture has birthed many of the social networking sites and search engines used worldwide, and governments in Europe and Canada, which tend to be much more aggressive about privacy.

"Part of it is cultural, and part of it is that the U.S. and Europe have radically different privacy regimes," said Chris Calabrese, legislative counsel for the ACLU. "The European model is extensive data protection in private information, and the U.S. model is piecemeal."

This piece provides an interesting insight into how EU regulators approach privacy regulations - an approach that contrasts with how US regulators view privacy.

Good news, of a kind, from a dark world

2010-10-27T12:27:00.002-04:00

From Josephn Menn at BoingBoing ...

As a fan of BoingBoing dating from a decade ago, when it was delivered on horseback, I wanted to share something positive with fellow readers in my first guest post. Unfortunately, the thing I've been most passionate about in my reporting and writing since 1999--cybercrime and tech security--doesn't lend itself to much that's happy. What I'm offering today is a compromise. It was good news to me personally, and it will be good news to those of you who have my read my book, Fatal System Error. For the rest of you, it won't be pleasant, and I'm sorry about that.

On Friday, I got a Skype message from a longtime source of mine: "My friend got his daughter back." We spoke on Sunday, and I will tell you what I can from that talk. To begin with, though, my source uses the fake name Jart Armin of HostExploit.

Like the people who work at Spamhaus, Jart is one of those people dedicated to tracking the worst cyber gangs who works in anonymity in order to protect himself. I don't like quoting people I can't name, but I did so in the book with Jart because he has done important research and because he is entirely right to be afraid of the people he has been tracking.

To explain that in the book, I briefly told the story of a colleague of Jart's who was investigating mob activity in St. Petersburg, Russia. The colleague made the mistake of working with the local police. Before he finished his assignment, the man's teenage daughter was kidnapped from her Western country, and the investigator got a message that if he dropped the case, the rest of his children might be okay.

That was five years ago. I had to leave the story hanging in the book because there had been no closure. A couple of weeks ago, the man got a new message. His daughter was in Kazakhstan, and he could have her back as long as he agreed not to look into certain of the gang's activities. One factor in the change of heart was the additional attention that Fatal System Error brought to the mob. The family has been reunited, though the young woman is not the same as she was. She was fed drugs and used to service men. A grim story, but at least it has an ending now, and I wanted to update those who knew the first part.

There are many reasons why cybercrime is as bad as it is, and getting much worse. One of them is lack of awareness of how dangerous and well-connected the gangs are. The most serious identity thieves and fraudsters are not isolated teenage script kiddies. They are mobsters who kill people, and worse, though those stories are seldom told. Folks need to know just how bad they are, every bit as much as they need to know the stories of the heroes who are risking their lives to stop them.

For those interested I strongly recommend you read Menn's book Fatal System Error.

Firesheep: who is eating my cookies?

2010-10-26T13:30:00.002-04:00

We talked a bit about FireSheep yesterday in class. PandaLabs provides a good write-up on it here ...

PandLabs also points out a handy tool to protect yourselves from these attacks. They write,

Don’t panic. Yes, this is bad, but there are some countermeasures to take. The best solution would be to use SSL encryption in all communications, but this has to be supported in the server side, so that won’t be happening (at least massively) anytime soon. Meanwhile, you should use HTTPS Everywhere, which will force to use https when connecting to some mayor websites, such as Twitter or Facebook:

You can get HTTPS-EVERYWHERE from the EFF. They are a very, very reputable organization and I strongly recommend that you install this plug-in.

NOTE: This plug-in may still be vulnerable to Moxie Marlinspike's SSL-Strip attack but I have yet to verify that.

Special thanks to your classmate Sean for pointing out HTTPS-Everywhere. Good work Sean!

"Deleted" Facebook photos still not deleted: a followup

2010-10-25T10:32:00.001-04:00

Via Jacqui Cheng at Ars Technica

Facebook may be making strides in some areas of privacy, but the company is still struggling when it comes to deleting user photos—or not deleting them, as the case may be.

We wrote a piece more than a year ago examining whether photos really disappear from social network servers when you delete them, and found that Facebook was one of the worst offenders when it came to leaving "deleted" photos online. We decided to revisit the issue recently when readers continued to point out that our deleted photos from that article were still online more than 16 months later. Indeed, this old photo of me remains on Facebook's content delivery network (CDN) servers, despite being deleted on May 21, 2009.

Privacy and the Internet

2010-10-25T10:26:00.000-04:00

Courtesy of Flowing Data ...

Is this an overstatement?

Independent Myanmar Publication Claims Cyberattack

2010-10-24T21:30:00.000-04:00

From the New York Times ...

BANGKOK — The Web site of The Irrawaddy, a magazine based in Thailand that is a leading source of news and criticism of the junta in Myanmar, has come under attack and been blocked by hackers, its editor, Aung Zaw, said on Monday.

The “distributed denial of service” attack just after midnight was similar but more sophisticated than an attack that forced the temporary closing of the site two years ago. Mr. Aung Zaw said it was not clear whether the attack came from inside Myanmar or from China, a close ally. Visitors to the Web site, www.irrawaddy.org, have been redirected to a mirror site while technicians seek to restore it.

“This is a new game, a new frontier” in the government’s struggle against its opponents, Mr. Aung Zaw said. “It shows how vulnerable we are.”

M&A in the Underground Economy

2010-10-24T21:28:00.002-04:00

From Krebs on Security ...

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

The rest of this post does an excellent job of describing the competitive dynamics in the underground marketplace. Read more here.

Ukraine Detains 5 Individuals Tied to $70 Million in U.S. eBanking Heists

2010-10-04T07:48:00.003-04:00

From Krebs on Security,

Authorities in Ukraine this week detained five individuals believed to be the masterminds behind sophisticated cyber thefts that siphoned $70 million – out of an attempted $220 million — from hundreds of U.S.-based small to mid-sized businesses over the last 18 months, the FBI said Friday.

At a press briefing on “Operation Trident Breach,” FBI officials described the Ukrainian suspects as the “coders and exploiters” behind a series of online banking heists that have led to an increasing number of disputes and lawsuits between U.S. banks and the victim businesses that are usually left holding the bag.

The FBI said five individuals detained by the Security Service of Ukraine (SBU) on Sept. 30 were members of a gang responsible for creating specialized versions of the password-stealing ZeuS banking Trojan and deploying the malware in e-mails targeted at small to mid-sized businesses.

Investigators say the Ukrainian gang used the software to break into computers belonging to at least 390 U.S. companies, transferring victim funds to more than 3,500 so-called “money mules,” individuals in the United States willingly or unwittingly recruited to receive the cash and forward it overseas to the attackers. In connection with the investigation, some 50 SBU officials also executed eight search warrants in the eastern region of Ukraine this week

New Clues Point to Israel as Author of Blockbuster Worm, Or Not

2010-10-04T07:08:00.002-04:00

From Wired's Threat Level Blog,

New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.

Read more here

Some Android apps caught covertly sending GPS data to advertisers

2010-10-04T06:30:00.001-04:00

From Ars Technica,

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.

FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts

2010-09-29T07:52:00.002-04:00

From Wired Magazine via the New York Times,

The FBI now wants to require all encrypted communications systems to have back doors for surveillance, according to a New York Times report, and to the nation’s top crypto experts it sounds like a battle they’ve fought before.

Back in the 1990s, in what’s remembered as the crypto wars, the FBI and NSA argued that national security would be endangered if they did not have a way to spy on encrypted e-mails, IMs and phone calls. After a long protracted battle, the security community prevailed after mustering detailed technical studies and research that concluded that national security was actually strengthened by wide use of encryption to secure computers and sensitive business and government communications.

Now the FBI is proposing a similar requirement that would require online service providers, perhaps even software makers, to only offer encrypted communication unless the companies have a way to unlock the communications.

In the New York Times story that unveiled the drive, the FBI cited a case where a mobster was using encrypted communication, and the FBI had to sneak into his office to plant a bug. One of the named problems was RIM, the maker of BlackBerrys, which provides encrypted e-mail communications for companies and governments, and which has come under pressure from India and the United Arab Emirates to locate its severs in its countries.

According to the proposal, any company doing business in the States could not create an encrypted communication system without having a way for the government to order the company to decrypt it, and those who currently do offer that service would have to re-tool it. It’s the equivalent of outlawing whispering in real life.

Read the full article here.

DDOS Botnets in Action

2010-09-26T05:37:00.002-04:00

The Shadowserver Foundation is an all volunteer group of security researchers that monitor and report on online malicious activity. They occasionally blog about some of there more interesting findings. A found a recent post about DDOS botnets particularly interesting.

One of the uses of botnets that I find particularly interesting are Distributed Denial of Service(DDoS) attacks. I spend a fair amount of time tracking the various botnet related attacks that Shadowserver sees, especially when the list of victims is of fairly high profile. I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This groups uses the BlackEnergy botnet to carry out its attacks.

The rest of the post can be found here.

ATM Skimmers in Action

2010-09-25T18:28:00.001-04:00

From Wired Magazine,

Authorities in Europe have seized a nice video recorded by a group of carders showing the criminals installing a skimming device and hidden camera at an ATM in the United Kingdom to steal customer PINs. Filmed from the hidden pinhole camera itself, installed above the ATM, the video shows how easy it is to capture the PINs as customers enter them on the keypad. But a few wily customers, who are wise to the carders’ tricks, manage to thwart their scheme by shielding the keypad as they type in their number.

Google's Eric Schmidt on Privacy

2010-09-25T18:14:00.001-04:00

The Colbert Report

Mon - Thurs 11:30pm / 10:30c

Eric Schmidt

www.colbertnation.com

Colbert Report Full Episodes

2010 Election

Fox News

Microsoft Seeks Privacy Law to Aid Cloud Computing

2010-09-25T18:10:00.001-04:00

From Bloomberg.com,

Microsoft Corp. is urging an overhaul of U.S. laws for electronic privacy to help new services such as cloud computing, a technology that may double sales in five years.
As more data are stored on remote servers and away from personal computers, a 1986 digital law needs to be updated to give consumers confidence their information is protected, Brad Smith, Microsoft’s general counsel, said yesterday at a Senate Judiciary Committee hearing in Washington.

Read more here

ReclaimPrivacy.org

2010-05-17T12:35:00.004-04:00

UPDATE: There seem to be some questions about the safety and reliability of this tool. When I have some free time I am going to conduct a behavioral analysis to vet the tool. Please refrain from using it until its been validated as safe.

I just discovered an interesting new site, reclaimprivacy.org, which according to the site admins is designed "to promote privacy awareness on Facebook and elsewhere."

The site works by "scanning your Facebook privacy settings" and warning you "about settings that might be unexpectedly public."

hat tip to Drew Conway (@drewconway)

Facebook Backlash

2010-05-15T08:31:00.004-04:00

Seems that im not the only one interested in deleting their Facebook account. This graph from Google Insights details a spike in the number of internet searches for "delete facebook."

Also, Google Suggest indicates that lots of folks are querying "how do I delete my facebook account."

Farewell to Facebook

2010-05-13T15:00:00.002-04:00

when I have some spare time ill provide more thoughts on this.

Sens. press Facebook on giving data to advertisers

2010-04-27T09:29:00.003-04:00

From the Washington Post's Cecila Kang,

Sens. Charles Schumer (D-NY), Michael F. Bennet (D-Colo.), and Al Franken (D-Minn.) plan to send a letter today to Facebook, urging the social networking giant to change the way it gives user data to third-party advertisers.

Last week, changes at Facebook made data from its users available to third parties unless a user opted out, the lawmakers said. That means, they said, the default for most users is for private information to be available to advertisers and other third parties.

"Social networking sites are a Wild West of the Internet; users need ability to control private information and fully understand how it's being used," the lawmakers wrote in a news release. They will hold a news conference at noon Tuesday and release a letter they will send to Facebook asking for changes to the site's privacy policies.

As we discussed yesterday, Facebook has again appeared to increase its sharing of its users data with third parties. Over the past two years Facebook has pushed more of its users data into the open. First with the infamous News Feed, then with Beacon program, followed by its recent redefinition of publicly available information which allowed for Google to crawl Facebook, and now with this new program that shares data with a growing list of third party providers.

We discussed repeatedly in class that privacy is properly defined as the ability to control how your data is used. It seems clear that Facebook is pushing the limits of its users privacy by removing an individual users ability to control how his or her personal information is shared with and used by third parties. Sadly, Facebook could avoid many of its impending perception and potential legal problems if they simply adopted an opt-in policy instead of forcing user data into the public domain and only allowing users to opt-in after it may be too late.

Charting Cybercrime

2010-04-26T10:53:00.007-04:00

Brian Krebs pointed me to this Google mashup created by Aaron Jacobson of Authentify. It uses media reports to chart online banking heists. As you can see the damage has been widespread and costly. Krebs provides his thoughts on the mashup here.

View Cybertheft Victims in a larger map

Rebutting Cyberwar Rhetoric

2010-04-25T19:50:00.003-04:00

While we have spent a good deal of time this semester discussing various ways nation-states and non-state actors can use the Internet to achieve political and financial goals, it is important to listen to those voices that rebut the overheated Cyberwar! rhetoric that ricochets around the DC beltway. One of the principal critics of the cyberwar drumbeat are the folks over at Wired Magazine's Threat Level blog. In a recent post Wired's Ryan Singel provides an incisive critique of former national security council member Richard Clarke's new book Cyberwar.

Singel writes,

Readers of Richard Clarke’s new book Cyberwar who want to jump to the steamy parts should start at page 64 in the chapter “Cyber Warriors.” It’s there you’ll find the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse.

Chinese hackers take down the Pentagon’s classified and unclassified networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data — including offsite backups — held by the federal reserve and major banks, then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

That electronic Judgment Day is not the stuff of bad movies or sci-fi novels, according to Clarke, who writes, “A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes.”

That’s right. In less time than it takes to download Live Free or Die Hard, foreign hackers could make it real.

Singel continues,

It’s not just Clarke’s 15-minutes-to-doomsday scenario that stretches credulity. Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories. In his world, the Slammer worm was partially responsible for the Northeast blackout of 2003 — the Energy Department concluded otherwise. A power outage in Brazil is similarly attributed to a hacker, when the real-life evidence points to sooty insulators. Clarke describes the Russian denial-of-service attacks against Estonian servers in 2007 as the “largest ever seen” (not even close). He claims that foreign hackers stole the plans to the F-35 Joint Strike Fighter fighter, when they actually nabbed unclassified information on the plane’s self-diagnostic system.

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

Singel notes,

Clarke’s prescriptions are manyfold. First, the nation’s backbone carriers — the ones with fiber optic networks crisscrossing the country — should be required to inspect all packets, and delete the ones that match known signatures of viruses and other malware. While that might seem like a fine idea, the security industry is already moving away from signature-based strategies, since malware-makers have taken to testing their payloads against anti-virus software before deploying it.

ISPs already have the ability, and the legal right, to filter out known bad packets, but requiring it — as Clarke would do — would not only be ineffective, but it would inevitably lead to other demands to filter content, first child pornography, then perceived copyright violations, and finally unwanted speech of all sorts. Clarke fails to consider the contents of the Pandora’s box he seeks to open.

More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government’s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn’t as effective for your energy company, which likely has no real competition.

So, even if you don’t accept Clarke’s doomsday predictions, there’s a good case to be made that the feds ought to have strong rules governing these systems, and, as he suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis.

Singel concludes,

The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

Check out the full article here.

CBS Report on Cybersecurity

2010-04-23T19:14:00.003-04:00

This report from CBS News is a good brief overview of how the lack of international cooperation on cyber security represents a threat to US national security.

Watch CBS News Videos Online

The video also shows something that all of us should already know - Mudge is the man.

Google Shines Light on Government Requests

2010-04-22T11:37:00.006-04:00

Google has launched a new service designed to inform its users about which governments request the removal of content and data about Google users. According to Google, "we regularly receive requests from government agencies around the world to remove content from our services, or provide information about users of our services and products. The map shows the number of requests that we received between July 1, 2009 and December 31, 2009, with certain limitations. We know these numbers are imperfect and may not provide a complete picture of these government requests. For example, a single request may ask for the removal of more than one URL or for the disclosure of information for multiple users. See the FAQ for more information."

Check out the service here.

Military asserts right to return cyber attacks

2010-04-16T22:59:00.003-04:00

Fascinating read from the AP Wire ...

The U.S. must fire back against cyber attacks swiftly and strongly and should act to counter or disable a threat even when the identity of the attacker is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.

Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.

The article continues,

U.S. computer networks are under constant attack, and President Barack Obama last year declared that the cyber threat is one of nation's most serious economic and national security challenges.

Alexander offered a limited but rare description of offensive U.S. cyber activities, saying the U.S. has "responded to threats, intrusions and even attacks against us in cyberspace," and has conducted exercises and war games.

It's unclear, Alexander added, whether or not those actions have deterred criminals, terrorists or nations.

In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known.

But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.

The article concludes,

Noting that there is no international consensus on the definition of use of force, in or out of cyberspace, Alexander said uncertainty creates the potential for disagreements among nations.

Alexander echoed other experts who warn that the U.S. is unprepared for a cyber attack. He said the first priority is to make sure the nation can defend its networks, which are now a "strategic vulnerability."

Alexander said the biggest challenge facing the development of Cyber Command will be improving the defense of military networks, which will require better real-time knowledge of intrusions.

He added that it will be difficult for the military to gain superiority in cyberspace, but the goal is "realistic."

Read the full article here.

Almost all Fortune 500 companies show Zeus botnet activity

2010-04-16T22:52:00.002-04:00

From Ars Technica ...

Up to 88% of Fortune 500 companies may have been affected by the Zeus trojan, according to research by RSA's FraudAction Anti-Trojan division, part of EMC. The trojan installs keystroke loggers to steal login credentials to banking, social networking, and e-mail accounts.

The botnet was first identified in 2007 and is still around today. The malware tends to be difficult to detect and remove, and several million machines worldwide are believed to be infected. The Zeus server-side components, used to collect the stolen data, surprisingly mimic techniques more commonly seen in the world of commercial software; the software is licensed (with fees ranging from several hundred to a few thousand dollars), and each installation is tied to the hardware it's installed on in a system reminiscent of Microsoft's software activation. The malware itself predominantly attacks Windows XP machines, though Windows Vista and Windows 7 variants are available for sale too.

Read the full article here.

Security Incidents Rise In Industrial Control Systems

2010-04-16T22:36:00.002-04:00

From Dark Reading ...

While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

As weve discussed in class the ability to attack the critical infrastructure systems that control oil & gas, water, and power is the bridge between cyber warfare and physical warfare. An successful attack on these systems would surely harm our economy and possibly impede our ability to wage war.

Read the full article here.

Stormtroopers365.com

2010-04-12T21:43:00.003-04:00

I just stumbled across stormtroopers365.com aka the greatest photo blog on the Internet. The author took pictures of his Star Wars action figures every day for one year. Ive posted one of my favorite photographs below.

This has no relevance to class whatsoever. People my age think Star Wars is cool. Im old.

Iowa bank compromised, serving exploits

2010-04-12T21:32:00.003-04:00

From Sunbelt Software's blog ...

Northwestern Bank Online, a bank in Iowa, was compromised.

On Friday April 9th, engineers from Sunbelt noticed that the Northwestern Bank Online site was redirecting to an exploit pack with infected vulnerable users.

Further investigation by Dancho Danchev revealed that this exploit dropped the Zeus banking trojan onto vulnerable victims machines. Zeus is a particularly nasty piece of malware. Kevin Stevens and Don Jackson from SecureWorks provide an excellent write-up on Zeus here. You can also track live Zeus infections here at the Zeus Tracker.

Investigating a Phishing Attack

2010-04-11T15:22:00.010-04:00

A former student noticed this strange email sent to a Georgetown University mailing address on Friday April 9, 2010. My former student noticed immediately that the email's return address was not in the Georgetown.edu domain and was instead warningalertweb@ymail.com. Ymail.com is a Yahoo! email address. Further, the email requested students reply with their university userid and passwords. Clearly this was a phishing attempt. I trust that all current and former students of this class would have immediately recognized this email scam.

As I had some spare time this weekend, I decided to investigate this amateurish attempt to steal personal information from the student body. This first thing I did was examine the headers of the email. From the GMail web client you can view the headers by clicking on the down arrow immediately to the right of the reply icon and selecting show original.

An examination of the headers revealed that the email originated from a server in South Korea with the IP address 119.70.40.101. Further, it appears the spammers utilized a hacked email account belonging to a real estate agent in Roseburg, Oregon.

According to Project Honeypot, the South Korean server has previously been used by spam harvesters and comment spammers.

While satisfied that I understood how the spammers executed their fraud, I still wanted to know more about the individual(s) attempting to steal personal information from the student body. So, I decided to respond to their phishing attempt with one of my own. I setup a fake email account and responded to the phishing attempt with phony information. I embedded my phony reply with web bugs and links back a blog that I established to act as a honeypot.

My plan was simple. The scammer would open my response email thinking that they had stolen data from an unwitting victim. As they opened my email, the web bugs would beacon back to my blog giving me the hackers IP address. Alternatively, the attacker would be dumb enough to click on the embedded links to my phony blog. In this case, it appears the hacker was dumb enough to click on the links back to the fake blog. This action revealed that the hacker was retrieving the stolen information via a computer in Hyderabad, India. It is possible that the attacker was using a proxy to retrieve his stolen data, but the fact that he clicked on the blog link in my phony email doesnt give me much confidence that this clown practices solid operation security.

Bank of America Employee Charged With Planting Malware on ATMs Read More

2010-04-09T13:43:00.002-04:00

From Wired's Threat Level ...

A Bank of America worker installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals, all without leaving a transaction record, according to federal prosecutors.

Rodney Reed Caverly, 37, was a member of the bank’s IT staff when he installed the malware. The Charlotte, North Carolina, man made fraudulent withdrawals over a seven-month period ending in October 2009, according to prosecutors, who’ve charged him with one count of computer fraud.

The Wired piece continues with more detail

The charges were filed the same day that credit card company Visa warned the banking industry that Eastern European ATM malware recently showed up in America for the first time.

That code, initially spotted last year on some 20 ATMs in Russia and Ukraine, was designed primarily to capture PINs and bank card magstripe data, but also allowed thieves to instruct the machine to eject whatever cash was still in it. At the time, security firm Trustwave warned that the malware was likely headed for ATMs in the United States.

At least 16 versions of the East European malware have been found so far and were designed to attack ATMs made by Diebold and NCR, according to the April 1 Visa alert.

There is no information tying the malware found in Russia with the malware allegedly used by Caverly. Bank of America did not immediately respond to a call for comment about the case, but told the Associated Press that the bank discovered the thefts internally. Caverly’s attorney did not return a call.

Nick Percoco, vice president and head of Trustwave’s SpiderLabs Incident Response Team, said the malware does sound like it could be the malware found in East Europe or a version of it.

“[Caverly] could have obtained a copy of that and modified it for his own use,” he told Threat Level. “But the ability to dispense cash without recording activity — that was definitely a feature of the East European malware.”

On a related note, police in Alexandria, Virginia, a mere twenty minutes from campus, reported the discovery of an ATM skimming device. According the Alexandria Police Department, on Sunday February 28, 2010 an ATM skimming device was discovered at the Wachovia Bank at 3624 King Street. The Police noted, "an ATM technician working on the machine found the skimming device. The engineer took photos of the device and went inside the bank to notify the bank’s security office. When he returned a few minutes later, the device had been removed. Several customers have come forward to report fraudulent charges on their bank cards with current losses estimated at over $60,000."

Brian Krebs from Krebsonsecurity.com has extensively covered how criminals have used hardware and software tools to steal ATM card information and pin codes. Check out his reporting here and here.

Cyber criminals getting specialized, FBI says

2010-04-06T21:19:00.002-04:00

From Federal Computer Week ...

At the FOSE 2010 conference the FBI's deputy assistant director of its Cyber Division, Steven Chabinsky, discussed the increasing specialization of skills in the cyber criminal marketplace. Chabinsky stated, “just like you have doctors who are specialists instead of general practitioners, we have cyber criminals who are specialists instead of general practitioners.”

According to Chabinsky the most common cyber criminal specialities are:

Coders or programmers who write malware and exploits
Distributors or vendors who trade and sell stolen data
Techies who maintain the needed information technology infrastructures
Hackers
Fraudsters who create social engineering schemes
Hosters
Money movers
Launderers of digital proceeds and
People, often without technical skills, who handle personnel issues

Researchers Trace Data Theft to Intruders in China

2010-04-06T21:00:00.004-04:00

From the New York Times ...

Turning the tables on a China-based computer espionage gang, Canadian and United States computer security researchers have monitored a spying operation for the past eight months, observing while the intruders pilfered classified and restricted documents from the highest levels of the Indian Defense Ministry.

In a report issued Monday night, the researchers, based at the Munk School of Global Affairs at the University of Toronto, provide a detailed account of how a spy operation it called the Shadow Network systematically hacked into personal computers in government offices on several continents.

The Toronto spy hunters not only learned what kinds of material had been stolen, but were able to see some of the documents, including classified assessments about security in several Indian states, and confidential embassy documents about India’s relationships in West Africa, Russia and the Middle East. The intruders breached the systems of independent analysts, taking reports on several Indian missile systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail messages.

I had the pleasure of meeting one of the Citizen Lab's lead researchers Nart Villeneuve at a NATO conference last year and working with others including Greg Walton and Rafal Rohozinski while a member of Project Grey Goose. These guys do incredible work and have excellent insights into how nation-states and non-state actors use the Internet as a weapon.

There most recent report SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0 is well worth the read and many of the reports key findings apply directly to our class discussions. In the report's forward the author's state,

Governments around the world are engaged in a rapid race to militarize cyber space, to develop tools and methods to fight and win wars in this domain. This arms race creates an opportunity structure ripe for crime and espionage to flourish. In the absence of norms, principles and rules of mutual restraint at a global level, a vacuum exists for subterranean exploits to fill.
There is a real risk of a perfect storm in cyberspace erupting out of this vacuum that threatens to subvert cyberspace itself, either through over-reaction, a spiraling arms race, the imposition of heavy-handed controls, or through gradual irrelevance as people disconnect out of fear of insecurity.

For those of you considering examining how nation-states are using cyber weapons to achieve political goals the SHADOW IN THE CLOUD report is a must read.

Chechen rebel leader claims responsibility for attacks

2010-03-31T17:01:00.006-04:00

As we discussed in class terrorist groups often use the Internet to distribute propaganda. A favorite type of propaganda of various groups is the video claiming responsibility for an attack.

As you all know Russia has fallen victim to a series of suicide bombings this week and according to the Washington Post "Doku Umarov, leader of a separatist insurgency in the North Caucasus, which seeks to establish a fundamentalist Caucasus Emirate in the region, claimed reponsibility for the Moscow attacks in a video posted on the kavkazcenter.com Web site. He said they were retaliation for a Russian attack on civilians in a village last month. He said the retribution would continue."

For those interested, the specific page on kavkazcenter.com can be found here. Additionally, the video of Doku Umarov can be found here on YouTube.

Google

2010-03-31T05:44:00.006-04:00

Google announced last week that it was moving its search operations from mainland China to Hong Kong. Users in China would now be redirected to its uncensored search engine at http://www.google.com.hk/. You can read more about Google's decision to shut down its censored search service here and here.

Google also launched a new service that allows users to monitor its availability in Mainland China. This new service can be accessed here.

Its interesting to me that the PRC government has yet to block access to the uncensored Google served from www.google.com.hk but has blocked Google's more interactive services that allow one-to-many communication like Google Sites, YouTube, and Blogger. Only time will tell if China will extend its Great Firewall to fully block all of Google's services.

How I’d Hack Your Weak Passwords

2010-03-30T20:47:00.002-04:00

CEO of web company iFusion Labs and blogger John Pozadzides provides an entertaining read about password security on Lifehacker.com ...

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.
Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)
The last 4 digits of your social security number.
123 or 1234 or 123456.
"password"
Your city, or college, football team name.
Date of birth – yours, your partner's or your child's.
"god"
"letmein"
"money"
"love"
Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…

The rest of this article provides an in depth explanation of various tools and techniques used by hackers to steal user password, but more importantly Mr. Pozadzides recommendations on how you can improve your password security. Read the rest of the article here.

Mafia Fail

2010-03-28T17:04:00.002-04:00

From ABC News ...

One of Italy's 100 most-wanted criminals, a vicious mafia boss who had been on the run for months, was betrayed by his passion for social networking and flushed out thanks to Facebook.

Using the name "Scarface" from the gangster movie starring Al Pacino, Pasquale Manfredi, 33, a boss of the the ferocious 'Ndrangheta mafia organization from the Calabria region in southern Italy, had logged on to his Facebook account so often that police were able to trace the signal from his Internet key and find his hideout.

If only all criminals were this stupid.

Because that's where the money is

2010-03-28T14:06:00.002-04:00

Brian Krebs checks in with an excellent post comparing cyber crime to traditional crime. Krebs writes,

Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

As weve discussed and Krebs points out,

Small wonder that the haul from cyber bank robberies has overtaken that of physical heists: Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

There are Bad Neighborhoods Online Too

2010-03-28T11:12:00.007-04:00

From the good netizens at the Zeus Tracker ...

I always check the ZeuS Tracker statistics to get some information about the trend of the active ZeuS Command&Control servers. This morning I was really surprised what I saw on the ZeuS Tracker statistic page:

As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddently dissapeared from the ZeuS Tracker.

I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. As a result, the following ISPs lost their internet connetivity which finally resulted in a massiv drop in the number of active ZeuS C&C servers.

In the physical world were attuned to sense danger. We all can instinctively recognize a bad neighborhood. When we see dilapidated buildings, broken street lights, liquor stores on every block, prostitutes working street corners, and a lack of police presence we all understand that we are not in a safe neighborhood.

However, we have not yet developed the same sensory perception for our digital lives online. The Internet is made up a series of neighborhood known as autonomous system (AS). Internet Service Providers "rent" space from these autonomous systems and provide hosting services for customers. Some criminal or indifferent hosting providers will work with likeminded autonomous systems to serve criminals and terrorists. These bad service providers foster bad neighborhoods online that allow for a good deal of the malicious activity that we see online today.

Internet making it easier to become a terrorist

2010-03-28T11:02:00.002-04:00

From the LA Times ...

The abrupt transformation of Colleen R. LaRose from bored middle-aged matron to "JihadJane," her Internet alias, was unique in many ways, but a common thread ties the alleged Islamic militant to other recent cases of homegrown terrorism: the Internet.

From charismatic clerics who spout hate online, to thousands of extremist websites, chat rooms and social networking pages that raise money and spread radical propaganda, the Internet has become a crucial front in the ever-shifting war on terrorism.

"LaRose showed that you can become a terrorist in the comfort of your own bedroom," said Bruce Hoffman, professor of security studies at Georgetown University. "You couldn't do that 10 years ago."

"The new militancy is driven by the Web," agreed Fawaz A. Gerges, a terrorism expert at the London School of Economics. "The terror training camps in Afghanistan and Pakistan are being replaced by virtual camps on the Web."

From their side, law enforcement and intelligence agencies are scrambling to monitor the Internet and penetrate radical websites to track suspects, set up sting operations or unravel plots before they are carried out.

As we discussed last week in class terrorist groups across the world have embraced the Internet as a vital tool in their information warfare arsenal. Time permitting we will put our investigative hats on and explore the web in search of many of these digital hate safe havens in an effort to track those responsible for maintaining these sites.

Malware delivered by Yahoo, Fox, Google ads

2010-03-28T10:47:00.003-04:00

From Elinor Mills at CNet ...

Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.

Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePages.com. The practice has been dubbed "malvertising."

Now, researchers at Avast are pointing fingers at some large ad delivery platforms including Yahoo's Yield Manager and Fox Audience Network's Fimserve.com, which together cover more than 50 percent of online ads, and to a much smaller degree Google's DoubleClick. In addition, some of the malicious ads ended up on Yahoo and Google sites, Avast claims.

Mills continues,

Found in ads delivered from those networks was JavaScript code that Avast dubbed "JS:Prontexi," which Avast researcher Jiri Sejtko said is a Trojan in script form that targets the Windows operating system. It looks for vulnerabilities in Adobe Reader and Acrobat, Java, QuickTime, and Flash and launches fake antivirus warnings, Sejtko said.

Users don't need to click on anything to get infected; a computer becomes infected after the ad is loaded by the browser, Avast said.

Since the malware started spreading in late December, Avast has registered more than 2.6 million instances of it on customer computers. Nearly 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick, Sejtko said.

Thats pretty scary. Most web surfers feel safe browsing popular well branded sites but they do not realize that many of these sites rely on 3rd party advertising services to manage their banner ads. As a result, should these services fail to properly vet the sources of their ads well established websites can be easily dupped into running malicious ads. As pointed out in the article, all the user has to do is view an infected ad and malware is silently installed behind the scenes. The user in none the wiser.

Ive been following this attack for a while now and if it is still running on Monday I plan on demonstrating it in class.

Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies

2010-03-27T22:03:00.003-04:00

From the Washington Post,

By early 2008, top U.S. military officials had become convinced that extremists planning attacks on American forces in Iraq were making use of a Web site set up by the Saudi government and the CIA to uncover terrorist plots in the kingdom.

"We knew we were going to be forced to shut this thing down," recalled one former civilian official, describing tense internal discussions in which military commanders argued that the site was putting Americans at risk. "CIA resented that," the former official said.

Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that dismantled the online forum. Although some Saudi officials had been informed in advance about the Pentagon's plan, several key princes were "absolutely furious" at the loss of an intelligence-gathering tool, according to another former U.S. official.

This case study highlights one of the dilemmas we discussed in last weeks class. Should we leave potentially dangerous websites online in order to exploit them for actionable intelligence, or should we shut them down and deny terrorists an online safe haven?

Read the whole article here ...

Drug War Goes Digital

2010-03-08T12:20:00.007-05:00

By now most of us are aware that al-Qaeda and other jihadist groups use the Internet to distribute propaganda. Of late other non-state actors have also embraced the Internet to get their message out.

On March 3 a user claiming to represent the "Mexican Cyber Cartel", an alliance between the Cartel de Sinaloa, the Gulf Cartel and the Familia Michoacana, uploaded a video to YouTube. The video, entitled "The truth about what is happening in Tamaulipas and Nuevo Leon", appears to be an attempt by the Mexican Cyber Cartel to win public support in its ongoing war with "Los Zetas" - a criminal/mercenary army of ex-Mexican special forces soldiers.

Hat Tip to Georgetown Grad Ben Turner for pointing this video out.

Fear, Uncertainty, and Doubt

2010-03-07T10:51:00.003-05:00

Flipping through my Google Reader this morning I noticed this gem of a quote from Michael Chertoff, former head of the Department of Homeland Security. Chertoff was speaking on a panel at the RSA conference about the need for improving cyber attack attribution capabilities. According to a Computer World article Chertoff noted that "the difficult task of identifying the true sources of cyber attacks remains one of the biggest challenges in the development of a national cybersecurity strategy." Further Chertoff also observed that "by comparison, physical attacks are relatively easy to track down and respond to." Specifically, Chertoff said, "In the Cold War we could attribute an attack. It was clear where it came from and we could respond," he said.

Umm, correct me if im wrong but the FBI closed the case on the 2001 Anthrax attacks in February 2010 after formally charging Bruce Ivins in 2008. I submit that assigning attribution in this attack was not relatively easy.

The problem with Chertoff's, and many policy makers, thinking is a Cold War mindset. In the post Cold War/Globalized/GWOT/Whatever you want to call it attacks can be carried out by anyone, anywhere, at anytime. This makes attribution hard in any form of attack - physical or digital.

Lawful Surveillance

2010-02-25T16:56:00.003-05:00

For those interested Cryptome.org has published a series of internal manuals used by companies such as Facebook, Microsoft, AOL, and others that document how these companies work with law enforcement agencies to retain and transmit data about persons of interests. In light of ou discussion of the Shadow Factory and our discussion of government surveillance in general I thought these manuals would interest many of you.

Check out cryptome.org for links to the manuals.

Block all Drive-By Download Exploits

2010-02-23T09:04:00.002-05:00

In the interest of arming students with tools and techniques to protect themselves from malicious software Id like to discuss the imminent arrival of BLADE - short for Block all Drive-By Download Exploits.

BLADE appears to be similar to Sandboxie - another tools Ive discussed in the past. Phil Porras, a Program Director for the project from SRI International, states that BLADE acts as a sandbox for the browser and prevents malware from being written to the hard drive.

Although the BLADE project team has not yet released the tool, it has published interesting statistics gathered during the testing of the software. To date BLADE has tested 5579 Drive-By Exploits from 1318 unique malicious URLs. According to these statistics, users running Microsoft Internet Explorer were successfully compromised 43.9% of the time.

Further, the Adobe Reader plug-in was successfully compromised 56.8% of the time.

The most disconcerting statistic is that Anti-Virus software failed to detect 72.8% of these exploits.

Batman FTW

2010-02-21T18:28:00.003-05:00

This is in no way related to class. I just found the cartoon really amusing.

Image courtesy http://ffffound.com/.

My Kind of Privacy Policy

2010-02-19T14:20:00.002-05:00

As we've discussed in class most users fail to read or understand the privacy policy of the various social networks and websites they visit. In many cases these privacy policies are written in opaque and dense legalese. Users have grown accustomed to these impossibly confusing privacy policies and as result routinely ignore them.

Im happy to report a pleasant surprise. While signing up for the new online service Backupify.com I took a moment to examine the websites privacy policy. It was shocking in its clarity.

Backupify's privacy policy is as follows:

Backupify is a strong supporter of online privacy and individual rights. We only collect data necessary to run the service effectively. Any data you store on Backupify is yours. We claim no rights to it. We don't look at it, we don't sell it, we don't analyze it, or anything else. Below are some specific questions we get and answers to them.
What information is collected about me?
We only collect data you provide us at sign-up. We do not ask for any other personal information. We do not collect data without your knowledge.
How do you use collected information?
We don't use it at all. The only thing we collect and monitor is general patterns of storage and service usage so that we can make sure our architecture is optimized for speed and scalability.
What security measures do you use to protect my privacy?
Any information we have about you is stored with strong encryption.
Will my information be shared with others?
No. Your information will not be shared with anyone, except in cases where information may be subpoenaed by law.

Wow. Thats pretty straightforward. I can only hope that other online service providers follow Backupify's lead and re-write their privacy policy in such clear terms.

For those interested, Backupify is an online service provider that provides an in the cloud backup service for your online accounts like Facebook, GMail, etc.

School Spies Students Through Their Laptop Cameras

2010-02-19T10:47:00.003-05:00

According to the Associated Press, "a suburban Philadelphia school district used the webcams in school-issued laptops to spy on students at home, potentially catching them and their families in compromising situations, a family claims in a federal lawsuit."

A lawsuit against the Lower Marion School district contends that "the school district can activate the webcams without students' knowledge or permission."

The plaintiffs in the suit allege that Lindy Matsko, an assistant principal at Harriton High School, informed them that their son had engaged in improper behavior at home. The lawsuit stated, "(Matsko) cited as evidence a photograph from the webcam embedded in minor plaintiff's personal laptop issued by the school district." Further, Matsko later confirmed to the plaintiffs that the school had the ability to remotely activate webcams in the school issued laptops.

According to Gizmodo, the school issued laptops come with Apple Remote Desktop which would allow administrators to remotely access the school issued Mac Books and to turn on the embedded iSight camera. Gizmodo's Jesus Diaz succinctly sums up my feelings about the Lower Marion School District administration writing "way to go, KGB-wannabe assclowns."

If you're going to give students laptops to aid in their academic pursuits dont effing us that same laptop as a tool of surveillance and repression. And no, I dont think im being too dramatic with my language. As Uncle Ben said to Peter Parker, "with great power comes great responsibility."

Hat tip to your classmate Oliver for originally referring this story to me.

Please Rob Me

2010-02-17T13:41:00.003-05:00

Jennifer Van Grove from Mashable.com checks-in with a report about an interesting new website that highlights the potential dangers of social media networks with location sharing services like Loopt, Foursquare and Google Buzz.

The creators of the PleaseRobMe.com offer this description of their website:

The danger is publicly telling people where you are. This is because it leaves one place you're definitely not... home. So here we are; on one end we're leaving lights on when we're going on a holiday, and on the other we're telling everybody on the internet we're not home. It gets even worse if you have "friends" who want to colonize your house. That means they have to enter your address, to tell everyone where they are. Your address.. on the internet.. Now you know what to do when people reach for their phone as soon as they enter your home. That's right, slap them across the face.

As Van Grove points out, there is evidence that criminals are using information gleaned from these social networking services to do more than commit cyber fraud. In some cases, criminals are using this information to aid in burglary. In a separate report for Mashable.com, Van Grove wrote
Unfortunately, over-sharing of this variety has been known to cause adverse side effects. Most recently, Israel Hyman (@izzyvideo), a video podcaster, took a trip to the midwest with his family and twittered about the excursion. He came home to find that his house had been burglarized.

This site is just another example of how many in their rush to adopt the latest social media tool inadvertently share too much of their personal information.