Wednesday, November 26, 2008

Gmail 'vulnerability' turns out to be phishing scam

Posted by Steven Musil

 

Reports that a purported Gmail vulnerability was being used by unauthorized third parties to hijack domains turned out to be nothing more than a phishing scam, Google announced Tuesday.

 

The alleged vulnerability reportedly allowed an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition. In the post, Geek Condition's "Brandon" wrote that the vulnerability had caused some people to lose their domain names registered through GoDaddy.com.

 

However, after consulting with those who claimed to be affected by the so-called vulnerability, Google determined that they were victims of a phishing scam, Google information security engineer Chris Evans explained in a blog:

 

    Attackers sent customized e-mails encouraging Web domain owners to visit fraudulent Web sites such as "google-hosts.com" that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline. Once attackers gained the user credentials, they were free to modify the affected accounts as they desired.

 

A Google representative contacted me early Monday to let me know the company was trying contact "Brandon" to get more information on his claim, but there was no word whether that blogger helped Google arrive at its conclusion. As of this writing, the blog has not been updated to mention Google's finding.

 

While this security breach was apparently unrelated to Gmail's operation, Google reminded users to enter Gmail sign-in credentials only at Web addresses starting with "https://www.google.com/accounts," and not to ignore warnings their browsers may raise regarding certificates.

Thursday, November 20, 2008

 

Experts: Cyber-crime as Destructive as Credit Crisis

 

Cyber-crime is likely to wreak as much havoc as the credit crisis in the coming years if international regulation is not improved, according to some of the world's top crime experts. Damage caused by cyber-crime is estimated at $100 billion annually, says Kilian Strauss, of the Organization for Security and Cooperation in Europe.

 

FRANKFURT (Reuters)—Cybercrime is likely to wreak as much havoc as the credit crisis in the coming years if international regulation is not improved, some of the world's top crime experts said on Wednesday.

 

Damage caused by cybercrime is estimated at $100 billion annually, said Kilian Strauss, of the Organization for Security and Cooperation in Europe (OSCE).

 

"These criminals, they outsmart us ten, or a hundred to one," Strauss told Reuters, adding more internet experts were needed to investigate and tackle cybercrime.

 

Criminal organizations are exploiting a regulatory vacuum to commit internet crimes such as computer spying, money-laundering and theft of personal information, and the scope for damage is vast, experts told a European Economic Crime conference in Frankfurt.

 

"We need multilateral understanding, account and oversight to avoid, in the years to come, a cyber crisis equivalent to the current financial crisis," Antonio Maria Costa, Executive Director of the United Nations Office on Drugs and Crime, said.

 

Internet crime is also a threat to national security, they said. Several countries, including the United States, have voiced concern over Russia's and China's abilities to electronically spy on them and disrupt computer networks.

 

Calls for greater regulation of the internet come at a time of regulatory renaissance, with policymakers looking to bolster the powers of financial sector watchdogs in the wake of the global financial crisis.

 

"Because of the transnational nature of identity-related crime, and especially of cybercrime, if we do not tackle the crime everywhere we will not solve it anywhere," Costa said.

 

The President of Interpol, Khoo Boon Hui, said increasingly tech-savvy gangs from China, India, Eastern Europe and Africa were coming up with ever more sophisticated ways of swindling money from vulnerable people.

 

He also said there was a trend of company bosses being bribed by fraudsters claiming to have incriminating evidence about their firms.

 

Strauss, who works as Senior Programme Officer at the Office of the Co-ordinator of OSCE Economic and Environmental activities, said Internet crime watchdogs could learn a lot from criminals willing to switch sides.

Wednesday, November 19, 2008

 

Economic Bust, Cybercrime Boom

Andy Greenberg,

 

The first ripples of a growing wave of cybercrime may be appearing.

 

In the physical world, the connection between declining business and crime is simple enough: As the above-ground economy suffers, the underground economy swells. The connection between economic trouble and cybercrime is trickier to prove. But as the economy slows, some crime watchers see signs that a portion of newly unemployed skilled tech workers are turning to the theft and exploitation of sensitive data even as the existing cybercriminal economy is finding new ways to exploit consumer confusion around the banking meltdown.

 

Meanwhile data on industry spending for security suggests that companies are preparing for the worst. Fear about the downturn's consequences for data protection has kept the cybersecurity industry practically recession-proof, even as other IT spending slumps.

 

Gartner security analyst Avivah Litan reports that in recent months, banking clients have been warning her of a spike in fraud, much of it based on the use of stolen financial data. "There's been a marked increase in the number of attacks and the number of successful fraud attempts," says Litan, who plans to publish a formal report in December. "This is the busiest my practice has ever been."

 

Litan blames the attacks on the thousands of IT workers who have recently found themselves jobless, with the technical abilities needed to steal data or perpetrate fraud along with specific knowledge of their former employer's IT systems. "In times like these, people need the cash," she says. "You have disgruntled IT employees that leave companies, take customer records with them to sell them on the black market."

 

As the financial crisis spreads from the U.S. to other parts of the world, it will likely drive more laid-off employees into the Eastern European and Russian cybercriminal economy, says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, a nonprofit organization that acts as a go-between for the private sector and government on cybersecurity issues. Borg says he's spoken with local government officials about "identifiable pockets of engineers" that are migrating from legitimate computer work to the Internet underworld. "These are talented computer scientists, people who expected to be in positions of prestige, but are now unemployed without prospects, basically let down by their system."

 

For now, those hints of a trend are difficult to back up with numbers. Security researchers at McAfee, for instance, report an explosion in the number of different strains of malicious software plaguing the Internet in recent months. Dave Marcus, McAfee's director of security research, says the most recent uptick began in March--when the company began detecting around 170,000 strains a month versus 30,000 or 40,000 in earlier months. This was around the time of the collapse of Bear Stearns but still several months before the brunt of the credit crisis hit the technology sector.

 

At least one sort of cyberattack can be linked directly to the downturn: scam e-mails that exploit consumer confusion resulting from the banking crisis. E-mail security firm Message Labs has tracked floods of so-called "phishing" e-mails following practically every rumor of a bank merger or collapse, impersonating official bank statements and asking users to "verifying your account details." That string of new scam targets has pushed the total volume of phishing e-mails from a maximum of around 400,000 a day in August to nearly 800,000 a day in November.

 

There's also some evidence that the scams are more profitable than ever. MessageLabs researcher Maksym Schipka, who often monitors Russian-language cybercriminal Web forums, says he has seen dozens of advertisements for stolen identity information that have doubled or tripled their prices over the last month. A stolen identity that once cost $5, for instance, now sells for $15, he says.

 

Schipka believes that's a result of two factors: Consumers are using a smaller fraction of their credit cards' credit limit, leaving more to be stolen by fraudsters, and a higher fraud rate has led to more demand for personal information. "This is a market driven completely by supply and demand, and a rise in demand is driving the change in the shadow economy," he says.

 

While that kind of data remains largely anecdotal, the evidence is enough to keep corporations spending on cybersecurity technology even as they trim expenditures on other information technology. According to a report earlier this month from Gartner's Avivah Litan, banks plan to keep spending on fraud prevention systems through the downturn.

 

In another report last month from research firm IDC, less than 10% of companies planned to cut security spending, the least of any category of tech expenditures. More than a quarter of those companies, by contrast, planned to scale back spending on business intelligence software and collaboration software.

 

Another report from Forrester Research in September showed that IT spending would increase during the banking meltdown to account for 10% of total IT budgets. The bulk of that money, says Forrester analyst Jonathan Penn, will go toward systems designed to keep former employees or disgruntled workers out of proprietary systems and to prevent business-killing data breaches.

 

"In periods of recession or slow growth, companies are going to turn their attentions to customer retention rather than customer acquisition," writes Penn in an e-mail. "The last thing you need in that environment is a data breach and the associated brand damage."

Tuesday, November 18, 2008

 

Phishing Attacks Reach Record Highs

Cyveillance researchers attribute spike to financial downturn

By Tim Wilson

 

Phishing attacks have hit new records for volume and frequency during the past two months, a researcher said today.

In the first quarter of 2008, Cyveillance typically saw a daily average number of phishing attacks in the low-400 range, the company said. In the past month, however, that average has increased to more than 1,750, with record peaks as high as 13,209 in a single day.

 

During the first half of this year, the quantities and frequency of the attacks have steadily increased, averaging 400 to 500 per day, with spikes occasionally reaching nearly 1,000 per day, Cyveillance said. While the summer of 2008 brought an overall slowdown in attacks, there has been a significant increase in attack volumes and frequency of spikes since September. Cyveillance analysts and outside observers attribute the increased volumes to many influences, most notably the worldwide financial crisis and the relentless efforts by phishers to elude detection.

 

"We are seeing spikes in phishing attacks far higher than we have ever seen in the past, due in part to cybercriminals taking advantage of the recent instability in the financial markets," said Panos Anastassiadis, CEO and chairman of Cyveillance.

 

The Anti-Phishing Working Group reported earlier this month that crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in the first quarter to 6,500 sites, nearly double the previous high of November 2007 -- and an increase of 337 percent from the number detected end of Q1, 2007.

Cyber defense, not cyberattacks, top priority

 

SAN DIEGO -- The United States remains the country most vulnerable to a cyberattack and should concentrate more on defending its computer networks, not on launching offensive cyberattacks, said one of the nation's top cybersecurity officials.

 

Comment on this article in The Forum.Mike McConnell, director of National Intelligence, told a military communications conference here on Monday, that the need to conduct cyberattacks pales in comparison to the country's responsibility for a rigorous defense of its networks that operate the banking, finance, transportation and electrical industries, which underpin the economy.

 

"Data destruction is a greater threat [to the United States] than hacking," said McConnell, who spoke at the annual Armed Forces Communications and Electronics Association's MILCOM conference. "It is our soft underbelly."

 

For example, he said if someone could scramble the data in a bank's financial system, it would be tantamount to destroying the bank.

 

In addition, McConnell said the national intelligence community plans to release within the next week its analysis of potential conflicts during the next 15 to 20 years. The forecast traditionally is released between Election Day and Inauguration Day and focuses on the shortage of water and the price of food will increase by 50 percent, which could lead to potential conflicts.

 

Demand for food and water will be driven by a global increase in population, which will increase by 1.4 billion people during the next two decades, and many of those people will not have access to potable water, McConnell said.

 

The intelligence community believes the focus on natural resources will shift from oil to coal and natural gas, changing the competition for natural resources, he said. McConnell predicted that not only nations but terrorist groups will try to claim natural resources.

 

The forecast does not include a nuclear incident in the next 15 years, but McConnell said the likelihood of one has increased, particularly if Iran develops a nuclear weapon.

 

Wednesday, November 12, 2008

 

Cyberthieves mine online for corporate data nuggets

By Byron Acohido, USA TODAY

 

An innocuous posting appeared on a Houston-based technology company's internal website on a recent Friday afternoon.

 

A couple of workers saw it, and obeyed instructions to click on a Web link. The posting seemed trustworthy. It was on an employees-only message board. And the link referenced news about a favorite company charity.

 

By clicking on the link, the workers infected their PCs with a virus that shut down the company's antivirus defenses, says Don Jackson, director of Threat Intelligence at Atlanta-based SecureWorks, who investigated the break-in. As a rule, tech security firms help clients under non-disclosure agreements.

 

The virus swiftly located — and infected — some 300 other workstation PCs, silently copying the contents of each computer's MyDocuments folder. It transmitted the data across the Internet to a gang of thieves operating out of Turkey.

 

"It was kind of like high-tech dumpster diving," Jackson says. "You get in, grab all the stuff you think might be important and sort through it later."

 

That Sept. 19 caper underscores an alarming shift in the teeming world of Internet crime. In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand.

 

Criminal groups are beginning to refine business models for turning data raided from corporate networks into cold, hard cash. "As they get better at finding ways to sell the information they steal, we can expect this type of attack to become more common — and harder to detect," says Marcus Sachs, director of the SANS Internet Storm Center.

 

Distinctive market

 

Industrial espionage is nothing new, of course. But what's taking shape in the Internet underground is as distinctive as it is worrisome, security experts say.

 

Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division.

 

Cybercriminals on the cutting edge are forging ahead. They're culling the ocean of stolen personal data for user names and passwords to access corporate systems. They've begun to target corporate employees who use free Web tools, such as instant messaging, Web-based e-mail and group chats on social-networking sites.

 

Often employees use such free tools to expand their business contacts and to back up clunky, company-supplied systems. But corporations have been slow to come to grips with security holes intrinsic to such free tools, or to restrict their use. "Corporations need to accept the fact that these tools are here to stay and secure them," says Jose Nazario, senior security researcher at Arbor Networks.

 

The most fertile turf: AOL, Yahoo and MSN instant messaging; YahooMail, HotMail and Gmail; and MySpace and FaceBook, the free tools that on any given day you'll find open on millions of workplace PCs. The most coveted loot: e-mail address books, instant-messaging buddy lists, PowerPoint slide presentations, engineering drawings, partnership agreements, price lists, bid proposals, supply contracts, executive e-mail exchanges and the like.

 

One set of stolen data — say, a senior manager's user name and password — is often used to get deeper access to key databases, says IBM's Ollmann. Each infected PC becomes a beachhead to breach other PCs and harvest more data. "This is maturing fast," says Ollmann. "New forums for hooking up buyers and sellers of this data are appearing on a daily basis."

 

Grab and run

 

Who buys stolen business data? Brett Kingstone, founder of Super Vision International (now Nexxus Lighting), an Orlando-based industrial lighting manufacturer, knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology.

 

That intelligence made its way into the hands of a Chinese entrepreneur, Samson Wu. In his book, The Real War Against America, Kingstone recounts how Wu obtained Super Vision's detailed business plans, built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures, complete with warranties referring complaints to Super Vision.

 

"They had an entire clone of our manufacturing facility," says Kingstone, who won a civil judgment against Wu. "What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months."

 

Wu disagreed with the civil judgment, says his attorney, Philip Snyderburn. Federal agents investigated Wu, but criminal charges were never pressed against him, noted Snyderburn, adding that he is not aware of Wu's current whereabouts.

 

Last year, the PCs of executives at several large Japanese conglomerates got infected with a virus spread through Ichitaro, a popular Japanese word-processing program. The intruders grabbed copies of supply contracts for an electronics maker, a plastics research firm and a train manufacturer, says SecureWorks' Jackson. That information reached rivals, who then undercut the established suppliers. "These were very targeted attacks that went on for several weeks without being detected," says Jackson.

 

In the past nine months, data thieves have stepped up attacks against any corporation with weak Internet defenses. The goal: harvest wide swaths of data, with no specific buyer yet in mind, according to security firm Finjan. Last May, Finjan documented how a large health care company and a major airline came under this type of attack, losing large caches of data. In each case, the thieves took pains to encrypt the stolen data, preserving it for future sale or use. Yuval Ben-Itzhak, Finjan's chief technical officer, calls it the "grab-and-run" technique.

 

"Cybercriminals are focusing on data that can be easily obtained, managed and controlled in order to get the maximum profit in a minimum amount of time," says Ben-Itzhak.

 

Researchers at RSA, the security division of tech systems supplier EMC, have been monitoring deals on criminal message boards. One recent solicitation came from a buyer offering $50 each for e-mail addresses for top executives at U.S. corporations. "He wants to send something specifically targeted to a senior-level employee to gain access to that resource," says Uri Rivner, RSA's head of new technologies. "These fraudsters know what they want."

 

Inside foothold

 

Meanwhile, corporations make it all too easy, say tech security experts and law enforcement officials.

 

The military and many financial services firms block access to YouTube and other popular websites on work computers. But most organizations pay little heed to how employees use free Web programs; only a small minority actually pay for secure alternatives, such as company-supplied instant messaging, says Chris King marketing director at security firm Palo Alto Networks.

 

Similarly, most customized business applications used in commerce and government continue to be created with functionality, not security, as the top specification, says Joe Jarzombek, director of software assurance at the Department of Homeland Security's, National Cyber Security Division.

 

Data thieves understand this, says Shawn Henry, the FBI's assistant director in charge of the cyberdivision. At an Oct. 15 press conference, Henry noted the vast criminal opportunities created by the rapid digitalization of data.

 

"Twenty years ago, it was all maintained in file cabinets," Henry said. "All of the most sensitive data relating to a corporation, because of ease of transmittal and the need to communicate, has been migrated to the network. You can only imagine what certain actors would do, given access to that particular type of information."

 

Last month, enterprising thieves discovered a big security hole in millions of work computers that forced Microsoft to issue a rare emergency patch.

 

The flaw, in Windows XP and Windows Server PCs, makes it possible to control any Internet-connected PC without having to trick the user into clicking on a tainted attachment or Web page. Criminals implanted a program in corporate PCs that automatically turned on every 10 minutes, says Sunbelt Software researcher Eric Sites.

 

The program copied and extracted all personal data stored by a PC's Web browser and registry, which gives the Web location of the machine, then turned off.

 

"This looks like something very customized, targeting very specific people," says Sites. "They could be after business intelligence or military secrets. These are not your average attackers."

 

Microsoft did not know about the flaw until reports of ongoing intrusions reached the software giant. Security experts say it will take months for the patch it issued to be installed pervasively in corporate settings. That's because large organizations test and install patches methodically, so as not to disrupt internal networks.

 

Meanwhile, criminal groups continue to probe the Internet for unpatched PCs, snare employees who use free Web tools at work and research novel ways to access corporate networks.

 

Randy Abrams, director of technical education at antivirus firm ESET, describes corporate data as "existing in a state of anarchy," moving haphazardly about company networks with too few protections. "The bad guys are aware of this," says Abrams. "Right now, there is little stopping them from moving data to places it should not be going."

Tuesday, November 11, 2008

Thousands hit in broad Web hack

Malicious links were placed on as many as 10,000 servers

Robert McMillan

 

November 7, 2008 (IDG News Service) Hackers have launched a massive Web hacking campaign, putting malicious links on as many as 10,000 servers, security vendor Kaspersky Lab warned on Friday.

 

"We're estimating that in the last two days alone, between 2,000 and 10,000 servers, mainly Western European and American ones, have been hacked," Kaspersky wrote on its Web site Friday, "It's not yet clear who's doing this."

 

The attackers are most likely using compromised accounts on the Web sites or launching what's known as a SQL injection attack, in which hackers trick Web sites' software into inadvertently running malicious commands.

 

The criminals add a line of JavaScript code onto the hacked sites that redirects victims to one of six servers. These sites, in turn, redirect the visitor to a server in China. That server can launch a variety of attacks, targeting known flaws in Firefox, Internet Explorer, Adobe Systems Inc.'s Flash Player and ActiveX, Kaspersky said.

 

If the victim's computer hasn't been patched, the attack code could install a variety of spyware and Trojan horse software, including one program designed to steal World of Warcraft passwords.

 

These Web attacks have become fairly common this past year, according to Roger Thompson, chief research officer at AVG Technologies. "These guys are pretty busy," he said via instant message. "We see them a lot."

 

Judging from their techniques and from his previous research, Thompson said he believes the attackers are college students based in China and that they may be the same group that notoriously hacked the Web sites of the Miami Dolphins and Dolphin Stadium ahead of the 2007 Super Bowl football championship.

 

Earlier this year, a similar attack compromised more than 1.5 million Web pages, Kaspersky said. "Things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious," it said.

Monday, November 10, 2008

Security Researcher to Reveal New Web Attack Vector

By Brian Prince

 

Security researcher Stephan Chenette of Websense says he has found a new way to slip Web exploits by client or gateway defenses. He calls the technique script fragmentation and says the attack vector is similar to the TCP fragmentation attacks that gained notoriety years ago. Chenette will make a presentation of his findings next week at the PacSec security conference in Tokyo.

 

Security researcher Stephan Chenette has reincarnated an old attack vector, giving it a new twist and a new name.

 

Chenette, manager of security research at Websense, has dubbed the new attack vector "script fragmentation" and will be making a presentation on it next week at the PacSec Applied Security Conference in Japan. Though he was mum on the specific details of his research, he provided eWEEK with a general outline of his findings.

 

His attack method is reminiscent of TCP fragmentation attacks and involves breaking down Web exploits into smaller pieces and distributing them in a synchronous manner to evade signature detection. According to Chenette, the attack can be performed without any special tools or add-ons.

 

"There's no big chunk of maliciousness to it [where] there's enough information there that anybody who's looking at it, either signature or [with behavioral analysis], will really make any sense of it to say, 'this is malicious,'" he explained.

 

Chenette said he tested the technique on all the major browsers, including Internet Explorer, Firefox and Safari, and found all were susceptible. Strictly speaking, however, it is not a browser vulnerability – it only takes advantage of the way Web browsers and applications operate.

 

"I'm calling this a script fragmentation attack because it makes use of the common technologies that are completely available today – JavaScript, VBScript, any type of scripting language - and the other readily available technologies that allows us just to conduct traffic back and forth. We can do it in smaller pieces, and at one end concatenating all the information and then triggering the attack."

 

The attack scenario could be a one-to-one relationship where a client contacts a Web server and gets the malicious content in little bits and pieces, or a situation where an attacker uses a botnet to have a few thousand machines serve the client pieces of the malware from various locations, Chenette explained.

 

Disabling scripting would affect it, but the non-static nature of today's Web makes that unpractical.

 

"If you were to turn off JavaScript, you couldn't go to Gmail and use it in the way that it's meant to be used," he said. "You couldn't go to Facebook…hi5, all these are top 50 Web sites that are used by all users for business purposes as well as personal use. So JavaScript and scripting languages in general and the mechanisms that the script fragmentation attack relies on are all mechanisms that everyday, benign applications use - and that's actually why it's so successful. All the components that script fragmentation relies on are components that are used in everyday Web sites and they are used in the exact same way that everyday Web sites use them."

 

So far, the attack method has not been seen by Websense in the wild. However, with security vendors starting to get over the hump in regards to detecting malware obfuscation, this type of attack are on the horizon, Chenette said.

 

"This is really in my eyes an attack that we're going to be seeing a lot more of in the future," he said. "This is something that currently we're not seeing, but is completely right now as it stands in the hands of any attacker that wants to make use of it."

Thousands Hit in Broad Web Hack

Robert McMillan, IDG News Service

 

Hackers have launched a massive Web hacking campaign, putting malicious links on as many as 10,000 servers, security vendor Kaspersky Lab warned Friday.

 

"We're estimating that in the last two days alone, between 2,000 and 10,000 servers, mainly Western European and American ones, have been hacked," Kaspersky wrote on its Web site Friday, "It's not yet clear who's doing this."

 

The attackers are most likely using compromised accounts on the Web sites or launching what's known as a SQL injection attack, where hackers trick the Web site's software into inadvertently running malicious commands.

 

The criminals add a line of JavaScript code onto the hacked sites that redirects victims to one of six servers. These sites, in turn, redirect the visitor to a server in China. That server can launch a variety of attacks, targeting known flaws in Firefox, Internet Explorer, Adobe's Flash Player and ActiveX, Kaspersky said.

 

If the victim's computer hasn't been patched, the attack code could install a variety of spyware and Trojan horse software, including one program designed to steal World of Warcraft passwords.

 

These Web attacks have become fairly common this past year, according to Roger Thompson, chief research officer with AVG Technologies. "These guys are pretty busy," he said via instant message. "We see them a lot."

 

Judging from their techniques and from his previous research, Thompson believes the attackers are college students based in China and that they may be the same group that notoriously hacked the Web sites of the Miami Dolphins and Dolphin Stadium ahead of the 2007 Super Bowl football championship.

 

Earlier this year, a similar attack compromised more than 1.5 million Web pages, Kaspersky said. "Things are still developing, and the similar nature of the malicious programs used in both attacks lead us to think that this new wave of attacks is potentially pretty serious."

Sunday, November 9, 2008

Chinese hack into White House network

By Demetri Sevastopulo in Washington

 

Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.

On each occasion, the cyber attackers accessed the White House computer system for brief periods, allowing them enough time to steal information before US computer experts patched the system.

US government cyber intelligence experts suspect the attacks were sponsored by the Chinese government because of their targeted nature. But they concede that it is extremely difficult to trace the exact source of an attack beyond a server in a particular country.

"We are getting very targeted Chinese attacks so it stretches credulity that these are not directed by government-related organisations," said the official.

The official said the Chinese cyber attacks had the hallmarks of the "grain of sands" approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.

Some US defence companies have privately warned about attacks on their systems, which they believe are attempts to learn about future weapons systems.

The National Cyber Investigative Joint Task Force, a new unit established in 2007 to tackle cyber security, detected the attacks on the White House. But the official stressed that the hackers had only accessed the unclassified computer network, not the more secure classified network.

"For a short period of time, they successfully breach a wall, and then you rebuild the wall ... it is not as if they have continued access," said the official. "It is constant cat and mouse."

Dana Perino, White House press secretary, declined to comment. The Chinese embassy also did not comment, but in the past China has called similar allegations reflective of "Cold-War thinking".

The US has increased efforts to tackle cyber security, particularly since Chinese hackers believed to be associated with the Peoples' Liberation Army last year perpetrated a major attack on the Pentagon.

US military computer experts battled for weeks against a sustained attack that eventually overcame the Pentagon's defences. The cyber attackers managed to obtain information and emails traffic from the unclassified computer system that supports Robert Gates, the defence secretary. Pentagon IT technicians were forced to take the network down for days to conduct repairs.

Concerns about Chinese hacking last year prompted President George W. Bush to tell reporters ahead of a meeting with President Hu Jintao of China that he might raise the issue with countries of concern.

Over the past year, the US government has tightened restrictions on officials using BlackBerrys and computers overseas, particularly in Russia and China, and sometimes bars them from removing the equipment from US government aircraft in the country.

In another incident, US government cyber investigators have determined that an attack this summer on the Obama and McCain campaign computer networks also originated in China. Details of the intrusion were first reported by Newsweek.

The Secret Service warned the Obama and McCain campaigns their networks had been comprised. The hackers successfully downloaded large quantities of information, which security agencies believed was an attempt to learn more about the contenders' policy positions.

According to the Newsweek report, the Obama campaign speculated that China or Russia were behind the attacks. A second US official said cyber analysts had concluded that the attacks originated in China, but stressed that they were not able to determine who was responsible.

"There is no doubt that foreign governments are actively targeting cyber space not only for sensitive information but to influence our most sensitive processes such as the US presidential election," said Sami Saydjari, head of the Cyber Defence Agency, a private company that advises government on hacking.

"This underscores the need for President-elect Obama to take leadership in the cyber space race that is well underway."

While the US has raised concerns about cyber attacks, many governments believe the US is also engaged in electronic spying. Bob Woodward, the veteran Washington Post reporter, this year revealed that the US had been spying on the Iraqi government.

Ex-con spills the beans on ID fraud

Jail is simply a chance to share information, admits former fraudster

 

The threat of jail time is no deterrent for online criminals, a former fraudster told a roomful of e-crime experts today.

Speaking at a seminar sponsored by the government-backed Cyber Security Knowledge Transfer Network, the ex-fraudster, known as 'T', argued that prison actually offers those convicted of identity theft the chance to share information with others.

"No one likes prison no matter what they say ... but it's no great incentive to go straight," he said.

"At the beginning I was nervous [about committing fraud] but after you've done it once, and the more you get away with it, the more you feel you'll never get caught."

'T' explained how he was continuously looking for call centre operatives to bribe with the aim of obtaining credit card details.

"A lot of the labour in call centres is students and there is a huge turnover so no-one there is really loyal," he explained.

"No one said they'd report me to the police and, after I built up a criminal relationship with one of them, I ended up with a network [of their friends and colleagues] and soon had more details than I could use."

The ex-fraudster also befriended estate agents, bribing them to hand over the keys to some of their properties which he then used to have fraudulently obtained goods and credit cards delivered.

"The most anyone would ever do is say 'no'," he explained. "I only needed one letting agent because they would have 40 or 50 properties on their books."

Although the man's criminal career lasted over three years, and ultimately cost him nearly four years in jail, 'T' said that the scale of the problem is being underestimated.

"It was widespread back then, but now they even have a term for it: identity theft," he said. "It's everywhere you go. People say it's a small problem but it's massive and I still know people doing that stuff."

"Digital DNA" to fight cyber crime

`Scottish researchers develop what they call "digital DNA": It is based on analyzing the way in which users access data on their computers and then creating a digital fingerprint that is unique to each user

 

Computer experts at Edinburgh's Napier University have secured funding of £199,879 to help them pre-commercialize a digital fingerprinting and analysis software technique that could help companies crack down on computer fraud. The innovative patent-pending technology, called "digital DNA," is based on analyzing the way in which users access data on their computers and then creating a digital fingerprint that is unique to each user. Jamie Graves, a research fellow at Napier's School of Computing, explored the concept of digital DNA throughout his Ph.D.. Now, along with Professor Bill Buchanan, he has secured the two-year funding under the Scottish Enterprise Proof of Concept program to develop the software through to commercialization.

 

Graves believes that the digital DNA technique he has developed uses a particular metric that offers a far higher degree of proof probability that a certain person was behind any changes made to data. Criminal gangs are growing increasingly aware of the potential rewards of data theft. Court prosecutors, however, are seeking higher levels of proof when it comes to prosecuting data crime, particularly in areas such as auditing and compliance activity. "A weakness of the current system is that it is computer experts giving evidence on the basis that they believe a particular person accessed or changed data," said Graves. "What the digital DNA will do is give a much greater measure of confidence to such actions. I can see it being very big in areas such as compliance and auditing where organizations have to show proof of their controls over sensitive data and access to it."

 

Graves believes that the digital DNA software could help play a big part in reducing overall data crime. "We've demonstrated its effectiveness in the lab and the Proof of Concept funding will allow me to prove that effectiveness in the real world," added Graves. Don Smith, technical director at Edinburgh-based DNS, one of Europe's leading information security companies, said Napier's DNA fingerprint is a novel and helpful approach to cutting through the existing layers of computer security monitoring. He said: "Napier's DNA fingerprint technology is certainly promising in terms of innovation and looks to have the capability of providing precisely that evidential proof of change or intrusion. It is a completely new perspective on tracking activity and I am sure the industry will take a very close look at it."

FBI probes data theft blackmail scheme

Data thieves threaten to release millions of patient records

Jeremy Kirk

 

November 7, 2008 (IDG News Service) Data thieves are threatening to release millions of patient records held by a U.S. prescription drug management company unless the company pays up.

 

Express Scripts in St. Louis said on Thursday it received a letter in early October with the names, birth dates, Social Security numbers and some prescription information for 75 patients. The company provides benefit management services to health care organizations, insurers and other businesses.

 

The company has notified the U.S. Federal Bureau of Investigation, as well as those people whose information was included in the letter, according to a company statement.

 

"While we are unaware at this time of any actual misuse of any members' information, we understand the concern that this situation has caused our members," Express Scripts said on a Web site set up to provide information on the breach.

 

The company has also included contact information for credit monitoring agencies and other resources for people who believed they may be a victim of fraud.

 

Express Scripts said it has a variety of security systems to protect patient data but said no system is invulnerable. Officials have identified where the data was stored and have implemented "enhanced controls," the company said.

 

The data breach at Express Scripts underscores the trouble enterprises and governments are having protecting their data from loss, theft and inadvertent disclosure.

 

Since January 2005, more than 230 million records involving the personal data of U.S. residents have been compromised due to breaches, according to the Privacy Rights Clearinghouse's Chronology of Data Breaches.

 

Hackers targeting an insecure wireless network at retailer The TJX Companies Inc. resulted in upward of 94 million credit and debit card accounts being compromised in 2007.

 

In 2006, 26.5 million records containing the names, Social Security numbers and birth dates of U.S. military veterans were stolen from the Department of Veterans Affairs.

Thursday, November 6, 2008

Once thought safe, WPA Wi-Fi encryption is cracked

Robert McMillan

 

November 6, 2008 (IDG News Service) Security researchers say they've developed a way to partially crack the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless networks.

 

The attack, described as the first practical attack on WPA, will be discussed at the PacSec conference in Tokyo next week. There, researcher Erik Tews will show how he was able to crack WPA encryption and read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.

 

To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in a relatively short amount of time: 12 to 15 minutes, according to Dragos Ruiu, the PacSec conference's organizer.

 

They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack

 

Security experts had known that TKIP could be cracked using what's known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.

 

The work of Tews and Beck does not involve a dictionary attack, however.

 

To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a "mathematical breakthrough," that lets them crack WPA much more quickly than any previous attempt, Ruiu said.

 

Tews is planning to publish the cryptographic work in an academic journal in the coming months, Ruiu said. Some of the code used in the attack was quietly added to Beck's Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.

 

WPA is widely used on today's Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s. Soon after the development of WEP, however, hackers found a way to break its encryption, and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicized data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.

 

A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.

 

"Everybody has been saying, 'Go to WPA because WEP is broken,'" Ruiu said. "This is a break in WPA."

 

If WPA is significantly compromised, it would be a big blow for enterprise customers who have been increasingly adopting it, said Sri Sundaralingam, vice president of product management at wireless network security vendor AirTight Networks. Although customers can adopt Wi-Fi technology such as WPA2 or virtual private network software that will protect them from this attack, there are still may devices that connect to the network using WPA, or even the thoroughly cracked WEP standard, he said.

 

Ruiu expects a lot more WPA research to follow this work. "It's just the starting point," he said. "Erik and Martin have just opened the box on a whole new hacker playground."

Sunday, November 2, 2008

Crooks can make $5M a year shilling fake security software

Scareware affiliate operation may also be a money-laundering front, says researcher

Gregg Keizer

 

October 31, 2008 (Computerworld) Criminals can make as much as $5 million a year by planting nearly worthless security software on PCs, then badgering users with so many bogus malware warnings that they fork over their credit card, a noted crimeware researcher said today.

 

That's the estimate of the annual income a dedicated crook could earn by pumping fake antivirus software, dubbed "scareware" by some, said Joe Stewart, director of malware research at SecureWorks Inc.

 

Stewart led an investigation into a Russian-based operation in which affiliate members seed PCs with Antivirus XP 2008, recently renamed Antivirus XP 2009, then reap commissions of up to 90% on the software's $40 to $50 price tag. The program is virtually worthless and is able to spot only a handful actual threats.

 

After convincing a real cybercrook to provide a recommendation to an affiliate program dubbed "Bakasoftware," Stewart accessed records that showed some members pulled in as much as $146,000 in just 10 days.

 

"We were able to convince another affiliate [of our bona fides], and got an invitation that let us see the back end of the affiliate site and see how the promotion works," Stewart explained. Although the Bakasoftware program had been known to researchers, its operations had received little, if any, analysis, since the program's site is in Russian and the invitation-only requirement for new memberships made it easy for the criminals to keep outsiders at arm's length.

 

During SecureWorks' investigation, Stewart also stumbled across messages posted on Russian forums by a hacker calling himself "NeoN" who claimed to have broken into the Bakasoftware administrative server. NeoN posted evidence that Bakasoftware affiliate members had raked in between $75,000 and $158,000 in one week.

 

NeoN tried to steal from the crooks but was blocked, said Stewart. Soon after that, however, Bakasoftware's administrator, a user pegged only as "kreb," changed members' access passwords.

 

Bogus antivirus programs are not a new criminal tactic, but using them to collect money from naive users has been on a major upswing. The increase, in turn, has prompted reactions from some technology companies. Just last month, for instance, Microsoft joined the attorney general of Washington state to file several lawsuits against suspected scareware distributors.

 

"This is a huge moneymaker in the underground," Stewart said. "It carries little risk, because they're not out and out stealing credit cards or bank-account details. So even if law enforcement finds out about them, they're not going to be first on the list."

 

The crooks also have a tenuous excuse, said Stewart, because his analysis of Antivirus XP showed that it did, in fact, detect a very small number of threats. "They have some plausible deniability," he argued. "They could just say they didn't know that the program sucked so badly."

 

Useless security programs like Antivirus XP rely on their near-constant blizzard of pop-up warnings -- all faked -- to irritate or worry users enough to pay for the software. Only after paying for the program, then registering it, do the pop-ups stop.

 

The brazenness of the criminals' claims are astounding: On a PC running a pristine, just-installed copy of Windows, Stewart said that Antivirus XP "found" and "disinfected" more then 300 nonexistent threats.

 

But while affiliates can make serious amounts of money, Stewart speculated that Bakasoftware's operator might be making even more. And not by just taking his cut of the money coming in.

 

"We think that Bakasoftware might just serve as a way to launder money," Stewart said, adding that there's some evidence that stolen credit cards are used by at least one affiliate member to pay for downloaded and installed copies of Antivirus XP. Even though the bulk of those payments are denied by the credit card companies, enough get through to launder significant sums. "From what we can tell, it looks like [Bakasoftware] may be doing this themselves," said Stewart, "and hiding a smaller volume of fraudulent money in the larger volume of legitimate credit card payments users are making for the software."

 

The Bakasoftware operation continues, Stewart said. "I don't think they've noticed our investigation," he said. But stopping even one affiliate program, much less the scores that are active, is nearly impossible.

 

"The best way to make money as a criminal is to set up an affiliate program of some kind, then get someone else to do the dirty work," said Stewart. "They don't even need to work hard at it [to make plenty of money]."

When IDentiWall is used, none of the following matters

 

"Ruthless' Trojan horse steals 500k bank, credit card log-ons

Russian gang kept 'extraordinary' malware on the prowl for nearly three years

Gregg Keizer

 

October 31, 2008 (Computerworld) A sophisticated cybercrime group that has maintained an especially devious Trojan horse for nearly three years has stolen the log-ons to more than 300,000 online bank accounts and almost as many credit cards during that time, a security company said today.

 

Researchers at RSA Security Inc.'s FraudAction Research Labs tracked the Sinowal Trojan horse, also known as Mebroot and Torpig, to a drop server that contained the stolen credentials, said Sean Brady, the product marketing manager at RSA's ID and access assurance group.

 

"The sheer enormity of this makes this unique," said Brady. "And the scale is very unusual." All told, the gang behind Sinowal managed to obtain access to nearly half a million bank accounts and credit cards, a volume RSA dubbed "ruthless" and "extraordinary."

 

"And the fact that the Trojan was managed by one group through its history and maintained for nearly three years is also very unusual," Brady said. RSA uncovered records that showed the Trojan horse had been in active operation since at least February 2006. "In malware life cycles, that's ancient, and to keep it up required a high degree of resources and effort."

 

The company's researchers first got onto Sinowal's trail after they captured a sample of the Trojan horse. An analysis of its code laid out a map back to the drop server. That server was another unusual characteristic of the malware. "Infection points and drop points go up and down all the time," Brady said. "They typically have very short lifespans. But this drop site not only stayed up, it showed a sustained collection of log-ons."

 

Brady also credited Sinowal's longevity to its authors' skills and secrecy.

 

The Trojan horse has been revised more or less constantly, although there were periods when its creators ramped up the number of variants. After a lull last February, for example, the number of different versions again spiked in June, then hit slightly lower peaks in August and this month.

 

The group is also more secretive than most, a trait that served it well. "They don't outsource, and [they] have all the necessary expertise in-house," said Brady. "They don't open their tool kits to other hackers, either. We suspect that the closed-loop nature of the group contributed to their ability to remain undetected."

 

These crooks, like many at the top rungs of the cyberunderworld, work their craft first and foremost as a business. "We see some evidence that they have employed some practices that you may normally find in businesses that maintain high availability [of IT]," Brady continued. "They're using some redundancy, some backup effort for the data. They've clearly invested in this."

 

Sinowal has infected hundreds of thousands of PCs worldwide during its run, and it continues to attack machines. Once on a system, the malware waits for the user to enter the address to an online bank, credit card company site or another financial URL, then substitutes a fake in place of the real thing. It's triggered by more than 2,700 specific Web addresses, a massive number compared with other Trojan horses.

 

The fake sites collect log-on usernames and passwords to banks and other financial institutions and dupe users into disclosing information those organizations never collect online, such as Social Security numbers. The Trojan then transmits the stolen credentials and data to the drop server.

 

"This is one of the more sophisticated pieces of malware out there," said Brady.

 

One reason Sinowal has been so successful is that it's rarely detected by antivirus software. "They struggle to find this one," Brady said. That's not surprising. The Trojan horse includes rootkit elements that infect the PC's master boot record (MBR), the first sector of a hard drive. Because the hardware looks to that sector before loading anything else, Windows included, the Sinowal is nearly invisible to security software. Security vendors have complained for months about how tough the malware is to spot.

 

RSA Security suspects that the group responsible for Sinowal is based in Russia. "The distribution was truly global, but the one statistical anomaly that we noticed was [that] Russia was the one region that had no infections." Cybercrooks will often forgo infecting machines in their own country in the hope that local law enforcement authorities will not come calling or that if they do find out about the attacks, they'll put any action low on their priority list.

 

"This is the biggest find we've made to date," confirmed Brady. "But one reason why we're talking is so we can connect to [the affected] financial institutions." RSA has notified authorities and the banks and credit card companies with which it has existing relationships, but it needs help in contacting others, he said."