Pages

Thursday, January 21, 2010

The cyber-gangsters' "weapons" and the state of Internet security

I wrote my first article about cyber crime related to Russian hackers. Writing an article about Chinese hackers (will be published soon) I had to explain why it's difficult to fight against them due to a wide range of tools, methods and existing vulnerability of operating systems and applications in addition to the specific political conditions in China. Since this material turned to more than 15-page information, I have decided to put it into a separate article. So, it's offered here.

 Cyber-gangsters
Before talking about hackers, let's define who are we dealing with? Who are the people or organizations that are motivated to dedicate their intelligence and skills to a dirty business of exploiting computer systems?


Andrew M. Colarik of the USA and Lech J. Janczewski of New Zealand state that, "In the context of information security, terrorists may come in many forms such as politically motivated, anti-government, anti-world trade, and pro-environmental extremists". They further state, "Cyber terrorism means premeditated, politically motivated attacks by sub-national groups or clandestine agents, or individuals against information and computer systems, computer programs, and data that result in violence against non-combatant targets".


Let's add the money-motivated hackers, and you see the picture of the enemy.


The goal of money-motivated hackers is to benefit from money inflow:
  •           with cyber espionage (to get the advanced technology secrets; to disrupt the competitors' networks; or to embarrass competitor and gain the advantage in the same field of business);
  •           by acting as a "cyberbully" and demand money by various methods of electronic blackmailing;
  •           by breaking into financial organizations' computer systems and transfer money to offshore accounts;
  •           by stealing the valuable information and re-sell it to those who wants to use it for own advantage (example: stealing credit card account information and reselling it);  
  •           by "building" the botnets for DDoS attacks and sell the right to use it;
  •           with identity theft by using stolen information to transfer money out of the bank accounts or to buy the goods from the Internet-based stores with newly opened credit cards;
I am sure there are few more methods but you got an idea.


According to a new study from McAfee, data theft and breaches from cybercrime may have cost businesses last year as much as $1trillion globally in lost intellectual property and resources for repairing the damage.


The goal of cyber-terrorists is to intimidate or force a government or its people to perform the changes that serve attacker's political and social objectives or political motivation. The goal also can be described as a disruption of major infrastructures of the country (e.g. nuclear plants, energy supply systems, defense infrastructure, and similar) in order to gain quick advantage in the pre-planned geo-political action.


Whether you want to call it "cyber terrorism" or only "information warfare", unfortunately, it's not the theory, it's the reality (read my blog about cyber attack on Estonia).


As you see, political views have various forms and can be the main motivational factor to be engaged in unlawful attacks or threats of attacks against computers, networks, and the information infrastructure.


I don't know if anyone assigned a name "cyber-gangsters" to all the people and organizations that are politically or financially - motivated to utilize multiple weaknesses of computer systems in order to achieve particular goals but I feel it's appropriate and I will use this term.


The cyber-gangsters' "weapons"
Neither definition-based anti-virus nor any other single solution is enough to block modern threats. Zero-day attacks, "mutating" viruses, or targeted attacks are all high-risk situations requiring an additional layer of protection. Our widely accepted security standards do not meet the needs either. In fact, the PCI standard for financial institutions and 3rd-party vendors involved into financial transactions that is considered pretty tough proved to be inefficient. The cyber-gangsters using the sophisticated sniffer software were able to penetrate into Heartland Payment System AFTER they passed their PCI DSS audit. The result of the breach and lost data for the company was disastrous.
"The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, an 827 % increase from January of 2008." Source: Anti-Phishing Working Group, Phishing Activity Trends Report 


Let's look what the "weapons" that are used by cyber-gangsters against personal computer and computer network (not a complete list, for sure).
-         Zero-day attacks
-         "Mutating" viruses
-         Targeted attacks (DDoS) utilizing botnets
-         Application exploits (including SQL injection) due to OS and applications design problems
-         Cross-Site scripting
-         Social Networking site exploits
-         Browser exploits
-         Hosted site exploits
-         P-2-P networking infection
-         Smartphone attacks
-         Wi-Fi protocol weaknesses exploits
-         Social Engineering to collect the information for the following attack
-         Malicious e-mails and spam - based infections
-         Creating malicious underground organizations to assist in cyber exploits and attacks
-         Identity theft (which has also been linked to terrorist activity)
-         Keyloggers, mouse-loggers, etc
-         Rogue Blogs pollution
-         Search engine results manipulation to redirect user to malicious web sites
-         Two-factor authentication circumvention


Why do we loose a war with cyber-gangsters? Imagine that you are a network or security administrator. You will have to take care about a wide range of vulnerable spots in your network, computers, and applications. This range becomes wider every day. As for hackers, it's enough to find only ONE VULNERABLE SPOT and you are fried. Do you see the difference?



1. Infected with a virus
There are various virus-detection technologies, regular or more advanced; however, modern malware can successfully avoid virus detection attempts. None of the today's technologies are able to clean 100% of viruses. The number of various viruses and their variants is well over half of a million, and every day there more and more news about newly created and more sophisticated viruses, worms, and their "brothers"' variants.


As the software engineer pointed in the article (the link above), it is not easy to design the anti-virus software that will be able to detect new viruses since you don't know where to look and what to expect. So, no matter how the technology is advanced, we're still working in the reactive mode.


The "success" of newly-created viruses is obvious. In accordance to the confickerworkinggroup.org, the Conficker A+B virus has infected ~5.9 Millions of PCs, the Conficker C- ~290,000 PCs, and the last variant of Conficker A+B+C -~6.3 Millions of PCs. One in 7 computers infected with Conficker are hosted on Chinese Internet service provider (ISP) Chinanet. The number of infected PCs proves one more time that the most of the virus infections occur on the PCs that are not properly and timely managed. The protection could be achieved simply by installing patch MS8-067 or disabling AutoPlay on a Windows OS.


I don't need to point you to the numerous news about new infections happened almost every day on a large scale. In accordance to Norton Symantec anti-virus company, the top 100 infected sites had on average 18,000 threats and 40 per cent of the sites had more than 20,000 threats. An astounding 75 % of websites on the list were found to be distributing "malware" for more than 6 months. This is the world we live in.


I don't know if you heard anything about Zeus virus but this is the one that successfully avoids most of the anti-virus scanners available today. In fact, the effectiveness of an up to date anti-virus against Zeus is not 100%, not 90%, not even 50% - it's just 23%. Its popularity has also encouraged the opening of the Zeus Tracker which currently list 537 active cyber-gangsers domains, with the majority of them hosted in Russia, the U.S and China, followed by the Netherlands, Ukraine and Germany.


Does it mean we should not spend money and use the anti-virus programs since they don't guarantee 100% virus-free PC? Not at all, some protection is better than nothing. Ask any computer specialist, and every one of them has its own opinion which anti-virus program is better. I have also shared my experience in this blog after I have replaced all anti-virus and anti-spyware programs on my PC with the only one - VIPRE from Sunbelt. Follow the link and find out why I have chosen this product and more details with screenshots.


2. Applications and OS design problems
If the operating systems and applications were designed with a tough security in mind would you see the daily headlines like these?
-         Microsoft confirms 'detailed' Windows 7 exploit;
-         Typical weekly Security Vulnerability Alert (sans.org):
  •           Windows                                                                     4 
  •           Microsoft Office                                                          9 
  •           Other Microsoft Products                                            1 
  •           Third Party Windows Apps                                          4
  •           Mac Os                                                                      21 
  •           Linux                                                                          2
  •           BSD                                                                           1
  •           Solaris                                                                        4
  •           Aix                                                                              1
  •           Cross Platform                                                              9
  •           Web Application' Cross Site Scripting                             5
  •           Web Application“ SQL Injection                                      1
  •           Web Application                                                             8
  •           Network Device                                                              3
-         VMware has advised of a total of 93 vulnerabilities in several of its products, including ESXServer, VirtualCenter, and vCenter.
-         Secunia's typical report:
o        [SA37448] Internet Explorer Layout Handling Memory Corruption Vulnerability
o        [SA37318] Microsoft Windows Win32k Kernel-Mode Driver Multiple Vulnerability
o        [SA24314] Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
o        [SA35948] Adobe Flash Player Multiple Vulnerabilities
o        [SA37314] Windows Web Services on Devices API Memory Corruption Vulnerability
o        [SA37273] Google Chrome Two Vulnerabilities
o        [SA36983] Adobe Reader/Acrobat Multiple Vulnerabilities
o        [SA37313] Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
o        [SA37277] Microsoft Office Word File Information Block Parsing Buffer Overflow
o        [SA37309] Microsoft Windows Win32k Kernel-Mode Driver Privilege Escalation


3. Web application security problems
There have been more than 250,000,000 customer record breaches since January, 2005. Each of those compromised records costs companies' on average $202 with the total cost of a data breach ranges from $613,000 to $32,000,000. There two options for compromising the web server: brute force password guessing and web application attacks. In accordance to Imperva, the most destructive attack techniques are: SQL Injection, Cross-Site Scripting, and Cookie Poisoning.

 SQL Injection
SQL Injection continues to be one of the most predominant Web application threats that affect commercial and custom web applications (83% of Enterprises Experienced a Database Breach Last Year). Considering the widespread availability of valuable data on the Web, the popularity of e-commerce and dependency on the web for all kinds of information, attackers are motivated to implement faster, more advanced SQL injection methods to launch high profile, widespread attacks on targeted web sites such as an automated SQL injection via search engines, SQL Injection for web site defacement, malware distribution for Denial of Service (DoS) attacks, and direct database SQL Injection that takes advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a back-end database.

Recent news: Another 1.5 million websites associated with the newest series of SQL injection attacks have been found by network security specialist eSoft.
          Cross-Site Scripting (XSS or CSS): attack that takes advantage of a Web site vulnerability in which the site displays content that includes un-sanitized, user-provided data.
          Cookie Poisoning: attack that modifies the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. 
       Design flaw: Every application security problem starts with poor design. In addition to thousands of desktop/server operating systems vulnerabilities, when you run the application on a top of it, it adds more vulnerability since the initial design was performed by the programmers who are not savvy in application security. Poor design is a cause of many problems that are exploited by not-to-our-surprise savvy hackers. It is the reason why the number of application vulnerabilities greatly exceeds the number of operating systems vulnerabilities.


To mitigate this problem, SANS Institute began educating programmers in application design security and even introduced a new security certification targeting the army of programmers.


4. The problem of botnets
The new technology, Web 2.0, browser-based computing, and mobile platforms give rise to a new breed of threat: stealthy Web-borne malware used to build botnets of enterprise and consumer PCs to steal customer data, intellectual property, and user credentials.
There are between 4 and 6 million computers scattered across the globe that have been compromised by cyber-gangsters without the users' knowledge. Botnets contribute to more than 87% of all unsolicited mail, equating to approximately 151 billion emails a day.


Last September, a botnet research group Shadowserver was monitoring more than 3750 distinct botnets averaging 20,000 or more bots each, with some containing more than a million infected PCs (!). Bots are so inexhaustible because they install as Trojans from malicious websites, bypassing many of today's security controls.


There are millions of PCs that are unpatched with the latest security fixes from many vendors. All of them are easy targets for "botnet kings".


I want particularly discuss the so-called Fast-flux and Double-flux botnets because they are prime example of sophistication that the cyber-gangster have these days.
Fast flux (fluctuation) is a technique to continuously move the location of a Web, email, or DNS server from computer to computer on the botnet in an effort to hide its malicious activity (spamming or phishing) and make the detection more difficult. IP blacklists that I personally use against spamming of my e-mails are basically useless in finding fast flux-based botnets.


"Double-flux, as you may guess, is similar to Fast flux but with double trick. With Double flux, the DNS name servers that resolve the Web host names are moved from computer to computer, so you don't know where you are actually connected (and in many instances, you are connected to the proxy pointed to the web server but not to the actual web server. To add even more protection against investigators, many of these systems encrypt (!) their communications, which makes it even more difficult (and close to impossible) to track their activities.


With compromised computers issuing 83% of the 107 billion spam messages distributed globally each day, the shutdown of botnet hosting ISPs, such as McColo in 2008 and Real Host in 2009, appear to have made botnets re-evaluate and enhance their backup strategy to enable recovery in just hours. It is predicted that in 2010 botnets will become autonomously intelligent, with each node containing an inbuilt self-sufficient coding in order to coordinate and extend its own survival. (Source: MessageLabs Intelligence 2009 Annual Security Report)
Are you seeing what I'm seeing?  There is no light in the end of a tunnel, and so far, we are terribly losing the cyber war.


5. Social networking sites problems with uneducated users and security
As technology advances, the cyber-gangsters are on the leading edge. The "break-into-the-system" old methods still take place but now they build the web sites with malicious content, turn their greedy eyes to the social networking web sites, and employ the latest and sophisticated technologies to achieve own goal.

For instance, with over 350 million users (!) of Facebook, this social networking web site becomes a prime target for cyber-gangsters. I have no doubts that the FSB (former KGB) has a copy of all Facebook accounts coupled with scientific analysis software to filter down the most useful intelligence data on citizens of many countries, and especially, United States. Hey, it's almost free database with people who have no clue that their opinions, personal information, employment, personal preferences, and pictures are being thoroughly analyzed and stored in the mainframe computer. I would be surprised if China is not following the same plan, or, perhaps, Russians share their intelligence data with their partner? Thank you, Facebook!


Do you think I am speculating? If the U.S. Government officials reported that in-spite all the efforts to protect the network, they miss at least 20% of all attacks, what the Facebook security personnel can do better? Yes, now they might have enough cash to buy good equipment and security software but we all know that it's not enough. It is the case when "social networking" is being used for "social engineering".


There is a great Top Ten 2010 Social Networking Websites Review Comparison web site that also highlights the security measures applied on each site (Privacy Settings, Block Users, Report Spam, Report Abuse, safety tips). Most sites have information pages dedicated to educating users about the risks of Internet scams but what the chart is missing? One of the most important parameters is how the web sites are protected against phishing and malware attacks. And here is a "proof":
  • Beware: Spam on Facebook and Twitter has reached epidemic.
  • Koobface (social networking worm). It gains access to Facebook profile pages and directs you to view a video that then encourages you to update your Flash player. Malicious files such as flash_update.exe and bloivar29.exe are being downloaded and installed which results in a range of visible problems, including modifications to your Facebook profile, with the immediate result being an error message to contact support.
  • The attack that took down Twitter on 12/9/2009 used legitimate credentials to log in and redirect Twitter.com to a site purporting to be under the control of the Iranian Cyber Army. According to Twitter, the DNS (Domain Name System) settings for Twitter.com were hijacked, resulting in roughly 80 percent of the traffic from the site being redirected elsewhere from 9:46 p.m. to 11 p.m. PST.
  • Lost My Phone, Give Me Your Number!! Groups On Facebook Are A Spammer's Paradise
  • Facebook password-reset spam is Bredolab botnet attack
  • Sophos warns of Facebook 'Rubber Duck' identity theft. A Sophos Asia-Pacific recently installed the Facebook equivalent of a honeypot hacker and discovered how easy to steal an identity on Facebook.
Why the social networking sites became the targets of many cyber-gangsters? The answer is simple. According to FBI, those sites are "a gold mine of personal information" that can be stripped down redirecting users to malicious web sites through innocent link or video. Considering the average Facebook user, for instance, has about 120 friends, it's easy to imagine how the links are distributed and multiplied. Now consider the second number: 300 millions. It is the number of Facebook users. Doing a simple math calculation we are facing a nightmare situation with the security.

"The cyber-criminals are very adept to using social engineering," said Donald DeBold, director of threat research for CA, an Internet security company. "Your friend is in trouble traveling in another country, 'I lost my wallet. I need help.' They exploit the curiosity aspect out of human nature."

This information is distributed not only on social networking sites but also by e-mails harvested in advance. A friend of mine recently called me with a warning that I may receive e-mail with a request to send him money since "he is in London now, and someone stole his wallet but this is not true". I have explained him how the e-mail harvesting works and why his contact list may receive the "cry-help" e-mails. The first recommendation is to quickly change your e-mail address.

I don't say that social networking web sites are doing nothing to protect its users. For instance, Facebook has developed automated systems that detect compromised accounts. They spot and freeze accounts that are sending an unusually high number of messages to their friends.  However, this "business" is very attractive for cyber-gangsters and they become more and more creative.

The Internet Crime Complaint Center received more than 72,000 complaints about Internet fraud in 2008. These cases involved $265 million of financial losses averaging $931 of lost money per person.

6. Daily problems with Internet browsers
No matter how good today web browsers are, all of them are still vulnerable. Recent hacking of Google in China is a proof since it was attributed to a zero-day vulnerability of Internet Explorer (one of the most difficult vulnerability to fix). By the way, more and more people are discovering zero-day vulnerabilities sometimes existed for a long as 2 years. However, the most troubled is the fact that the core of browser security, Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, could be exploited.

Below are some headlines:
  • Security Pro Says New SSL Attack Can Hit Many Sites
  • Zero-Day Flaw in SSL and TLS Protocols (11/05/2009) A zero-day flaw in the secure protocols could be exploited to launch a man-in-the-middle attack.  The discovery of this authentication gap vulnerability means that all affected libraries will need to be patched.
  • Some Firefox extensions may be exploited to install malware.
  • Firefox hit by multiple drive-by download flaws
  • Typical week's vulnerabilities in browsers registered by Secunia service:

    • [SA37448] Internet Explorer Layout Handling Memory Corruption
    • [SA24314] Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability
    • [SA37273] Google Chrome Two Vulnerabilities

    7. Malicious web sites with pre-built code
    Based on some observations, more than 75% of maliciously engineered web sites are actually legitimate destinations like BusinessWeek.com and MLB.com. As you understand, when employees visit those sites, they become the victims of so-called "drive-by downloads" hacking that automatically install some hacker's virus on your network. Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. For instance, rogue on-line pharmacy sites, claiming to sell genuine medicine to naive shoppers, continue to be a problem.
The cyber-gangsters are extremely creative by covering the malicious code with innocent web page content. They use advanced knowledge of web design, programming, and security. I don't want to go into details but I was "impressed" with a hiding technique that is using regular cascading styles sheet (CSS) parameters. Since the style sheets allow creation of several layers of the texts combined with images on the same web page, the cyber-criminals used the CSS parameter that covers the malicious region of a page with innocent content (like advertisement). It could be social networking forum or regular web site that looks exactly like a brand-name counterpart. Looking at the web site, how do you know that that particular web page is infected with a malicious code? Close to impossible!

8. Weak security on most of the hosted sites
My web sites also witnessed the hacking. Apparently, my ISP was not aware but the hacker inserted the Google Analytics - like code into main pages of all web sites residing on that particular server and redirecting web surfers to the web site in China. When I contacted ISP's technical support they said it's my problem and they are not responsible for fixing or protecting against hacking. The hackers would hug and kiss this ISP for such an attitudeรข€¦ It leads to thousands of web sites getting compromised by redirecting to scareware, breaking trough the web servers and stealing data (Hackers hit leading UK climate research unit. Reports are coming in that hackers have breached the servers of one of the world's major climate research units (CRU), posting around 61 megabytes of emails and documents to an FTP server in Russia...).

9. P2P security problems
Most of the employers who are aware of danger to use the peer-to-peer network applications usually restrict any communications for BitTorrent, Kazaa, Gnutella, FreeNet, and Morpheous รข€“ the programs that allow the information exchange and uploading/downloading the files through P2P file sharing networking with higher port numbers.  A BitTorrent client, for instance, normally associates the TCP port number 6881. However, if this port is busy for some reason, the client will instead try successively higher ports (6882, 6883, and so on up to a limit of 6999).

In the view of recent events, these problems may seem not significant. However, these networks are still very much alive and serve the ground to plant if not the new but the known worms and viruses through the infected files being downloaded.

I don't know if you have a sin of downloading the program with a crack through BitTorrent or eMule network but I can give you almost 100% guarantee that the downloaded programs (especially most popular) have an infected file embedded into executable, serial number generator or cracking file.

The danger from the infected file can be quite real since the cyber-criminals (who usually are hidden with a fancy names or avatars) have many options for exploiting the computers. It can be not only the Trojans or viruses for backdoor access (to build the path from outside world to the trusted device) but even legitimate application but with the old, unpatched, and therefore vulnerable files that later can be exploited with any of the freely available hacking tools. Your confidentiality and authentication รข€“ the components of computer security - are no longer in a place since you don't know who actually distributed infected files and who actually gained access to your private folders.

One way to fight with this type of cybercrime is not use the P-2-P networking at all. It may seem obvious but for those who still want to use it, there is only one way to gain the trust is to assign a digital signature to each user, and based on the results and history of downloads or information exchange, assign a level of trust. I don't know if this idea will be implemented soon or it has some flaws but, perhaps, it make sense considering the bad reputation of peer-to-peer networking.

10. New technologies become new targets
  • Cloud computing.
A subscriber to the Amazon pay-as-you-use EC2 cloud computing has had their website hacked, and a command and control (C&C) system installed for the Zeus botnet, which continues to be a problem for PC users, despite the worm being almost two and a half years old.... More
  • Smartphones
As I mention in this article, the attacks on Smartphones will increase in volume. They have already started. The first iPhone was Worm Detected in November, 2009. Users, who have not changed their default Secure Shell (SSH) login password and have jailbroken their iPhones to allow third-party applications to run, are vulnerable to the malware. More and more hacking becomes associated with a "ransomware": iHacked: jailbroken iPhones compromised, $5 ransom demanded, New LoroBot ransomware encrypts files, demands $100 for decryption. Once malware-proof, Smartphones actually have enough security holes to be vulnerable to various hacking attacks. I am not surprised that most of the attacks target the most popular iPhone: Second iPhone worm behaves like botnet. It has been identified by security vendor F-Secure, which claims the new worm has botnet capability and is more threatening than its predecessor. SpyPhone appharvests personal data from stock iPhones.

  • RFID chips
New type of counterfeit credit/debit card fraud that is very disturbing: RFID chips vulnerability. The embedded into credit cards or U.S. passport chips can be hacked with under $100 kit. One simple question arises: how this presumably secure technology was approved for implementation with such a big hole in security?

11. Phishing/Identity Theft and Malicious e-mails / spam
The slogan for this paragraph could be the phrase: "Phishing is a major problem because THERE IS NO PATCH FOR HUMAN STUPIDITY" (Mike Danseglio, program manager at Microsoft). All phishing methods are based on presumption that the PC user is stupid enough to open e-mail, browse to the web site, or click on the offered link without second thought that it may be a phishing attempt. No software or hardware protection can fight with phishing unless the PC users are educated enough about security awareness, and this is the reason why identity and money theft online is so wide-spread.

This is a reason why all sort of online thieves are still ripping the money from naรƒ¯ve computer users.

Here is a list of the Top 10 complaints received by the FTC:
            1) Identity Theft - 32%
2) Shop-at-Home/Catalogue Sales -8%
3) Internet Services -5%
4) Foreign Money Offers -4%
5) Prizes/Sweepstakes and Lotteries -4%
6) Computer Equipment and Software -3%
7) Internet Auctions -3%
8) Health Care Claims -2%
9) Travel, Vacations and Timeshares -2%
10) Advance-Fee needs and Credit Protection/Repair -2%

Some recent headlines:
-       Phishing experiment sneaks through all anti-spam filters.
-        A recently conducted ethical phishing (New study details the dynamics of successful phishing) experiment impersonating LinkedIn by mailing invitations coming from Bill Gates, has achieveda 100% success rate in bypassing the anti-spam filters it was tested against.
-        RockYou has suffered a serious hacker attack that has exposed 32 million of its customer usernames and passwords, leading to possible identity theft.

The word spam is hated by every PC user. Spam now contaminates every form of electronic communication from IM to SMS and from blogs to tweets. The global spam rate for September 2009 is 86.4 %, but the rate for US businesses is reaching 93.8%!

Spam e-mails are used for various reasons but all of them present bigger danger than N1H1 virus that was predicted to overcome the human population quickly. Spam is more successful since e-mails travel across the globe in a matter of seconds and every e-mail box contains this, the most hated type of e-mails. Phishing, re-directing to malicious web sites, infected with a virus legitimate web sites, or faked web sites, e-mail attachments infected with a virus, or combination of methods “all of it“ is not a full list of online threats for PC users.

How do the hackers know your e-mail address? First of all, if you are an active social networking user your e-mail can be easily grabbed by the e-mail harvesting programs. Also, if the web site where you left your e-mail address was hacked, all the information is easily obtained by the hacker. The e-mail lists are being sold on the Internet legally and illegally. I have special e-mail addresses for mass e-mails where I don't care about spam. At the same time, I often resist to provide my e-mail address that I use for business to avoid spam.

With automated spam tools, flexible botnets, and targeted spam campaigns, the spammers constantly improve the technique to overcome any effort to stop them. I am sure that you are familiar with the CAPTCHA technology to verify that you are human when you are filling out the online form. This method helps to fight spammers who use the automatic "fill-out" programs to place the spam links into your online form. Needless to say, the spammers have the tool that can read the image of letters (no matter how distorted they are) and still can fill out the form automatically posting the links they would like you to receive. I design and use the Flash-based online forms for my web sites that are more difficult to circumvent. So far, I was successful and was getting only manually-filled form results.

 "Some of the high spam levels seen across the US can be attributed to the economic challenges experienced globally since the end of 2008 as well as Internet advancement including the high adoption of social networking," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec."

Cyber-gangsters are tireless in finding new methods to spam. For instance, they have started preying on Verizon Wireless customers, sending out spam e-mail messages that say their accounts are over the limit and offering them a "balance checker" program to review their payments. Faking Verizon Wireless e-mails offer the balance checker that is actually a malicious Trojan horse program.

Did you receive the e-mail "notification" from IRS about your funds? I did. It is so wide-spread that the IRS has a special message for all taxpayers about being careful with those e-mails. In fact, on December 9, 2009 the Project Honey Pot (to learn more about spam and the spammers who send it, the largest community tracking online fraud and abuse) achieved a milestone: receiving its 1 billionth spam message - a United States IRS phishing scam. In accordance to the Project's report, the most significant highlights include:
- Malicious bots have increased at a compound annual growth rate (CAGR) of  378% since Project Honey Pot started 5 years ago;
- Over the last five years, you'd have been 9 times more likely to get a phishing message for Chase Bank than Bank of America, however Facebook is rapidly becoming the most phished organization online;
- Finland has some of the best computer security in the world, China some of the worst;
- It takes the average spammer 2.5 weeks from when they first harvest your email address to when they send you your first spam message, but that's twice as fast as they were five years ago;
- Every time your email address is harvested from a website, you can expect to receive more than 850 spam messages.


Spam levels continue to rise says Symantec. Around 9 out of 10 email messages now include links or information related to spam or phishing, a new study has indicated. I have posted the article about my method of fighting with spam but with today's botnetsthat are spread out across the globe, my method became less effective. At the same time, if you have the opportunity to configure your mail server I still suggest you to filter down all e-mails with the .CN domain extension.

The other folks' experiment in blocking IP addresses originating worm/virus attacks (that was similar to my method) ended up blocking:
-          China Anhui Province Network
-          China Beijing Province Network
-          China Fujian Province Network
-          China Guangdong Province Network
-          China Hangzhou Node Network
-          China Hubei Province Network
-          China Jiangmen Broadband Network
-          China United Telecommunications Corporation, Beijing
-          Oriental Cable Network Co, Shangha

I have seen so many spam e-mails originated from China that, perhaps, I can safely filter down all of them but I cannot do it if the spam from the Chinese spammers comes from the server located in Brazil or Canada.

12. A circumvention of two-factor authentication
As the online banking was growing in popularity and the security concern pushed the developers to create a two-factor authentication technique, more and more people began shopping and managing their finances online. I remember when in 2002 I have been working on implementing RSA Security solution for remote login to the front firewall. I had to activate the security fobs that generated every 30 sec a random number magically synchronized with the server where the RSA software resided.  In fact, I still use similar fob with PayPal by complementing my user ID and the password with random characters what surely provides additional layer of security.

Since then, this additional layer as well as two-factor authentication is slowly becoming not so bullet-proof. In fact, cybercriminals have successfully circumvented the authentication process. No, they did not break trough the both factors of authentication but rather, first of all, infected the targeted PC with a malicious program and then patiently waited for the crimeware-infected victim to authenticate himself in order to exploit the access in real-time. A recently published article at MIT's Technology Review, details a case where cybercriminals managed to steal $447K despite that two-factor authentication with a fob (similar to mine) was in place.

With banker malware clearly able to operate even on PCs with up-to-data antivirus product (read about Zeus virus above) how to fight it? Perhaps, timely alerts about online transactions could be sent issuing one-time passwords (OTP) over SMS to report a fraud to the report center in order to freeze the transaction and the account itself. The irony is that SMS alerts itself could be exploited due to "badly implemented processes within particular financial institutions allowing a customer to change the mobile number in any particular moment of time. For instance, a Chinese bank wouldn't accept U.S mobile number for SMS alert and one-time password services because cybercriminals are already using services offering to accept and forward any data sent to a particular mobile number within a country where they maintain local numbers for fraudulent purposes". Let's put simply, we cannot rely on two-factor authentication if the environment where we operate is already compromised.

Always in a "reactive" mode
Do you think Antivirus software will save your PC from infections? Consider this. The May 09 lab test of antivirus software from several known vendors reveals not very bright perspective on detecting new viruses:

It's actually a scary picture! Do you realize that on average your antivirus software can detect only 50% of new malware programs? I also found very interesting information about what the antivirus programs are being used by the PC users. About 47% of users use free programs, 23% spend money to buy the full-blown product, about 16% use cracked (!) versions of the commercial software, about 10% still use the evaluation copies, and about 4% either don't use it at all or have no clue what it is.

Frankly, after reading the report, I was pleased with the only one fact: I don't use any of the mentioned software. I have switched to VIPRE from Sunbelt Software that offers new detecting technology and the performance superior to other vendors. While I was among those who use the free versions of the software for many years, this time, after VIPRE detected 11 Trojans on my PC that neither Software Doctor, AVG, nor Adware together could not detect, I have purchased 3 licenses for my home PCs and laptop. I still don't regret. I am waiting for the next version of the software that will include not only Antivirus+Antispyware capabilities but also built-in desktop firewall that should be a free upgrade to the licensed users. I mentioned VIPRE in my blog in April 2009.

Let's get back to the facts.

2 years ago, the Dutch company Secunia released data demonstrating that 28% of all installed apps areinsecure. Recently released WorldMap shows a relatively high rate for insecure programs found on a single PC. The U.S has 3 insecure applications installed per PC on average. Now, I want to reveal another scary number. Considering the number of PCs functioning, U.S. - based PC users have more than 2.7 billion vulnerable programs installed. Yes, not millions but big "B"!

The latest version of Secunia software goes beyond simple discovery and elimination of malware and potentially undermining the usefulness of the antivirus programs in general by measuring the exploitability of cross-browser plug-ins such as Adobe Flash Player, QuickTime, or Sun's Java. I believe it's the first company that reveals the sad truth about wrong emphasis on the scanning technology only forgetting about other vulnerabilities and leaving PC users unprotected with a false sense of security.

I am familiar with this online software since I use it periodically to verify my PC (it's a free subscription). More comprehensive checkup would cost you a couple of bucks. The program does not remove the viruses but rather points to the outdated versions of the software and plug-ins that must be updated immediately. For instance, I found that for some reason my PC has 4 different versions of Adobe reader and all of them are outdated and had to be patched with security updates.

If you ever updated Java software on your PC and had curiosity to look at the listing of installed software, you would be surprised to find out that your PC contains several outdated versions of Java because the Java update software never removes the old versions. As you understand, the folders with the old versions might contain the files that are not patched and created the area of vulnerability.

So, the workstations, laptops, and now the notebooks must be patched as soon as possible not only for OS but also for many third-party programs and plug-ins. The failure to ignore it is like playing Russian roulette รข€“ even with a good luck, earlier or later your system will be compromised. It only takes a single unpatched application or a browser plug-in to exploit the PC by the cybercriminal. Next moment you lose the ownerships of your PC and the owner becomes someone in China. This time, it will not be the teenager who wants to prove own significance by taking over your PC but your PC will become the tool in the hands of cybercriminals to pursue more financially rewarded plans.

Recently, Secunia conducted comparative review of the detection rate of 12 different Internet Security Suites against 300 popular exploits. They found that even the top performer in the test is in fact performing poorly in general. They concluded:

"These results clearly show that the major security vendors do not focus on vulnerabilities. Instead, they have a much more traditional approach, which leaves their customers exposed to new malware exploiting vulnerabilities."


The table of results from Secunia clearly demonstrates that many of your favorite anti-virus products failed to sense the exploits.

Despite the fact that many applications' vulnerability has been already addressed, the end users are still living in the reactive response world. "Cybercriminals on the other hand, took notice, and following either common sense or publicly obtainable data indicating that end users remain susceptible to already patched vulnerabilities, started integrating outdated exploits into what's to become one of the main growth factors for web malware in the face of today's ubiquitousweb malware exploitation kits."

As you see, with all those tools, simple and quite complicated techniques and hacking methods the sophistication of the cyber-gangsters is growing day after day. They have penetrated into every facet of the Internet. Even Google is also not a proof against malicious software. Google is experiencing SEO (Search Engine Optimization) attacks through crafting custom rogue blogs designed to target the 'long tail' of difficult to understand Google searches to avoid having to compete with more popular searches in Google results, according to cyber intelligence company Cyveillance. The blogs redirect visitors that have found them via a Google search, taking them to Chinese domains that attempt to install fake anti-virus software on victims' computers.Yahoo also targeted by Chinese cyber attacks - similar to the one that affected Google.eSoft investigated the matter further and found over 800,000 active URLs acting as rogue blog middleman sites.

A "quality" of hacking software is often higher than the quality of countermeasures.  A recently conducted test by malware researchers exposed that 8 out of 10 malware samples used in the test, successfully bypassed Windows 7's default UAC (user access control) settings. And we are talking about the latest desktop operating software! Yes, we can change some parameters and make the OS more resistant but Microsoft favored the functionality and "likeability" of freshly installed software vs. security probably pursuing the sales goals.

A steady stream of security flaws in the Microsoft Internet Information Services (IIS) software is causing a stir in security researcher circles, with hackers reportedly issuing details of the flaws faster than Microsoft's R&D staff can patch them. Microsoft has warned about hackers starting to use DirectX-enabled files to give them remote access to users' PCs across the internet.
Are you following me? Faster than they can patch them! It is in addition to the fact that the new malware is not being detected in 30% of cases on average! Now, think about our electric grid that is vulnerable to a cyber attack or every other piece of U.S.> infrastructure.

Recently, 60 Minutes (CBS News) disclosed an attack on Brazil's grid. In short:
  • We're not ready for a cyber attack;
  • The hackers can move much faster than the U.S. government;
  • A lot of the worst attacks will revolve around the power grid since everything needs electricity.
"Director of the Center for Strategic and International Studies Jim Lewis spoke of a computer security breach at the CENTCOM network in which intruders managed to gain access to a highly sensitive US military computer system and stay inside for days.  The breach may have been made possible through planted, infected flash drives; the U.S. military has since banned the use of the portable memory devices."

In addition, at a congressional hearing last year in Washington, U.S. administration officials testified that the government's cyber initiative has fallen far short of what is required. Most alarming, the officials said, there has never been a full damage assessment of federal agency networks.

All of it is not so encouraging information, don't you think? And how many times I mentioned China?

2 comments:

cyberteacher said...

Just to prove my points, read the news about Microsoft's fix for Windows XP rootkit:
http://blogs.zdnet.com/hardware/?p=7349&tag=nl.e550

What a joke!

Blogger said...
This comment has been removed by a blog administrator.