Category: Spyware
February 14th, 2008
Ben Edelman targets C-NetMedia
Ben Edelman has created a nice Valentine’s day post. I am sure the folks behind C-NetMedia are swooning over it even now. Ben eviscerates these guys. First he tracks all of the deceptive Google ads that make C-NetMedia’s product appear to be “official” and attempt to associate them with Spybot Search and Destroy the truly excellent anti-spyware product.
While Ben points out that C-NetMedia is not in anyway related to CNET, the media company that owns among other things ZDNet, the host of this blog, he does not point out the obvious desire on the part of these purps to associate with the largest channel for anti-spyware software, CNET’s Download.com.
Ben then goes on to show how C-NetMedia’s product incorrectly identities “43 parasites” on his clean PC and asks for money to clean it up.
My advice to these people at C-NetMedia: Run, run very fast. Ben is after you. And where Ben stalks the FTC is not far behind!
February 7th, 2008
Funny. 5/3 Bank advertises malware site in brochure
An alert blogger at BuggStompers picked up a brochure at his last visit to the bank. The brochure, titled “Protect Yourself From Malware” points you to a site to download Spybot search and destroy. But it is not Patrick Kolla’s site at Safe Networking that they provide. As you can see from this scanned image 5/3 Bank directs lobby visitors to go to spy-bot.net a dangerous malware site.
Too funny.
January 31st, 2008
Sumitomo copycat crime in Stockholm
Longterm readers of Threatchaos will recall the attempted Sumitomo Bank heist in London. In that incident a gang connected to an Israeli crime syndicate infiltrated the London branch of Sumitomo Mitsui and installed hardware key stroke loggers on desktop machines within the bank. With stolen credentials they attempted to transfer a reported 220 million pounds to bank accounts around the world.
There are still many questions that remain unanswered in the Sumitomo case. I have maintained a Google alert on Sumitomo for the last two years and there has not been a whisper about any arrests, prosecutions or actions in that case. For all we know the entire gang is still on the loose.
Now we have a fresh incident to look at in Stockholm. Apparently, an employee at a bank in a suburb of Stockholm noticed that his computer was acting strangely, looked under his desk, and pulled the plug on a piece of foreign hardware. The report claims he interrupted the bank robber’s attempt to transfer millions of something (kroner?). Wow, good timing. This incident occurred last August. The news is breaking now because the Swedish police are claiming to have the bank robbers in custody. Kudos to them. They should share their techniques with the police in London.
Now, let’s hope that through a public prosecution we learn all of the details of this bank heist. Without that how are the 50,000 or so other banks around the world going to adequately protect themselves against becoming victims of similar attacks?
January 24th, 2008
Cyber confusion. What is the airforce talking about?
If you are like me your eyes cross and you feel a ringing in your ears when you are exposed to military-speak. The acronyms are fun and server to separate insiders from outsiders, kind of a tribal thing. But is sure makes it hard to figure out what is really going on. Take Ellen Messmer’s article today in Networkworld orld Magazine. She interviews Air Force Lt. Gen. Robert Elder who is head of the Air Force “Cyber Command.”
Now let me warn you, the military uses the word “cyber” as a noun. When a military guy says “cyber is important” he means something like “networks are important”. So, while “Cyber Command” should mean using networks to provide command capabilities, the air force has abused our language once again because what they seem to mean is “network management”. In other words there is now one group within the air force responsible for network management and it is headed up by Lt. General Robert Elder.
OK, so what does he say?
NWW: The Air Force has obviously made use of networking for a long time, so what’s really different about the Cyber Command?
Elder: We differentiate between computer network security and computer network defense. Once you’re through the gate, you’re in, so we look at that as hostile territory. It’s inside defense. Right now, most of what we do today is computer network security. But we know our adversaries will attack, and we need training and cyber tools.
See what I mean? Hard to de-cypher. “Once you’re through the gate, you’re in” I love that.
NWW: What kind of attacks are of concern?
Elder: Phishing, for example, is a type of attack. We’re arming airmen with the skills to recognize a phishing attack. We’re installing tools to check URLs. We’re integrating commercial products with our own host-based security systems.
Phishing? Phishing is a problem? Are you starting to get worried here?
NWW: How many people are in the Cyber Command today?
Elder: There are at least a few thousand people now and it will grow to between 5,000 and 10,000. Many people are re-assigned from all over the Air Force. The goal is to be fully established by October. We can’t do anything without cyber — today, we talk about operations in the cyber domain.
At first reading I thought he was talking about 10,000 people doing cyber security. But this number must mean 10,000 people in IT, right? Those parts of IT that have not been outsourced to EDS that is.
But, good news. The new Cyber Command is going to make some radical changes:
NWW: What steps can you take?
Elder: We’re putting a lot of things in place, like moving toward a policy on our firewalls to deny all except by exception.
Yikes, let me check the date on this article. Maybe it is from 1995? That was when the rest of the world figured out firewalls. Nope, 01/23/08. This just reinforces my image of most military operations when it comes to security: they are in the Twilight Zone, a world of their own, completely separated from reality, and most unfortunately, completely unprepared to face their enemies.
Update: Thanks to John Andrew Prime of Gannet for this helpful clarification: LTG Bob Elder is the commander of the 8th Air Force and the Cyber-Strike action component of Air Force Cyber Command (Provisional), but the actual commander of AFCYBER(P) as the U.S. Air Force calls it, is Maj. Gen. William “Bill” Lord. he answers directly to USAF Chief of Staff Gen. T. Michael Moseley. You can see all the top commanders of the new command at its Web page, http://www.afcyber.af.mil/
January 23rd, 2008
Now this is leverage: scaling a phishing operation
Great research over at Netcraft today. They have found a site called Mr. Brain set up by some Moroccon hackers that offers a whole suite of phishing tools. The phishing tools are the usual set of cloned HTML, and management interface for routing stolen bank card info, etc. But these tools come with a bonus! All of the stolen data is also sent to the guys at Mr. Brain!
Brilliant.
January 22nd, 2008
IP adress = PII? I don't think so
Yikes, what is it with regulators and legislators? Do they have no one on their staffs to clue them in? Evidently the European Parliament’s Civil Liberties Committee is discussing classifying IP addresses as personally identifiable information. That is crazy talk of the third degree. They think of IP addresses as physical addresses when they should think of them as freeway exits. I, for instance, live nearest to
View Larger Map“>exit 69 , Big Beaver Road, off of I-75. (yeah, yeah, its a big joke around here). And, of course, that exit number can change at anytime, arbitrarily. I can see how the clueless can be confused by IP addresses. They seem to be attached to your computer. I would suggest that these Euro-equivalents of Senator Ted Stevens do an ipconfig in cmd mode on their laptops next time they are connected at a wireless access point. “Hey! Who changed my IP address?” But what’s the use? Anyone who can do that has a clue already.
Outlawed hacking toolz in Germany, forbidden words in Brussels, its enough to make one lean towards technocracy over democracy.
January 3rd, 2008
"Secret Crush" first malicious widget on Facebook
The cyber sleuths at Fortinet have tracked down a malicious widget on Facebook. Read the advisory at the FortiGuard Center.
The “Secret Crush” Widget suggests that someone has a secret crush on the recipient and to find out he/she has to install the Widget and oh, btw, invite five Friends to do so as well. The Widget then proceeds to install the Zango malware that we all know and love. (Remember when Zango was installed via Myspace videos?)
As I predicted in my Top Ten Threat Predictions for 2008 below these malicious uses of social networks will become yet another challenge to safe use of the Internet. Look for more to come!
Full disclosure: I work at Fortinet. Occasionally the FortiGaurd team *does* scoop the world and I will take advantage of that to get the word out here on emerging threats. Especially when I can say “I told you so!”
December 4th, 2007
Ten threat predictions for 2008
It is that time of year again. Time to publish my predictions for 2008.
ThreatChaos Predictions for 2008
1. Facebook widgets will be used to distribute malware. Facebook, the hugely popular social networking site with millions of users has recently introduced the ability of users to create and publish small applications, widgets. These applications could be for just about anything. I have seen one that asks you to compare your friends in a “hot or not” like manner. Another, a simple game, is a blatant rip-off of Scrabble. Facebook hosts these applications and makes it possible for users to share and interact with them. In 2008 we will see attempts to exploit Facebook through these widgets. It could be through a vulnerability in an existing application that could for instance allow the download of a malicious Trojan. Or, it could be a new application deployed to steal information or infect visitors’ computers.
2. Google’s just announced OpenSocial is an attempt to break the strangle hold that MySpace, Facebook, and LinkedIn are attempting to establish with their user bases. OpenSocial is a set of tools meant to allow developers to create social network applications that can cross the boundaries of proprietary systems. Imagine a mash-up between your Linkedin network and your Salesforce.com database. While OpenSocial promises great rewards in increased networking functionality it opens up risks for exploitation. In 2008 we will see the first attempts to exploit Open Social tools to hack social networks.
3. Salesforce.com AppStore will be involved in a data loss incident. In 2007 we saw the first targeting of Salesforce.com (SFDC) through phishing attacks. Once a user’s credentials where stolen they were used to gain access to their database of contacts who were then spammed. Imagine the power of a SFDC application that is maliciously used to steal information from those who use it. I predict that 2008 will be the year that SFDM applications will be exploited for nefarious purposes.
4. China will continue to have its way with other nation’s critical information. In 2007 we learned that attacks emanating from the Chinese military had penetrated the German Chancellery, England’s Whitehall and the Pentagon. 2008 will see a continuance of China’s attacks on Western governments and industry. More penetrations of government agencies will be uncovered and publicized.
5. Ex-Soviet states will continue to snipe at each other using the weapons of cyber-extortionists: Distributed Denial of Service Attacks, the tactical nukes of the digital era. In May of 2007 a political dispute over a war memorial in Estonia escalated to a full fledged cyber attack against Estonia encouraged by the Putin regime. I predict that Russia will continue to use their newfound ability to use cyber extortionists’ tools to impose their political will on break away states.
6. Cyber crime will get up close and personal. Targeting will become the most profitable means of attack for the cyber criminal. In 2007 Igor Klopov, a 24 year old Russian, used the Forbes list of wealthiest Americans to choose a target billionaire in Texas. More companies and individuals will find themselves the targets of hackers in 2008.
7. Financial markets will be disrupted by increasingly elaborate schemes: pump and dump combined with DDoS for instance. One scenario that could play out: Hackers use phishing attacks to gain access to online brokerage accounts. They liquidate the victim’s stock portfolio and buy short positions in some other stock. They then execute a massive denial of service attack against the company behind that stock and redeem their positions when the stock tumbles.
8. The world learns what the Storm Trojan is for. The Storm Trojan is one of the most sophisticated pieces of malware ever. It has defensive abilities that are used to try to shut down researchers. To date it has not been used but its huge distribution, possibly more than 50 million instances, could be a one of the most disruptive weapons ever deployed on the Internet. In 2008 we will learn just what the Storm Trojan is meant to do.
9. Terrorist organizations bring out DDoS as a weapon against e-commerce and media sites that choose to display images of Mohamed. This actually first occurred in December 2006 but the site involved chose not to publicize the incident. Imagine what would happen if a site started selling plush toys bearing the names of various prophets? Watch for it in 2008.
10. Game console exploits will be transmitted over the Internet, the Wii in particular. The game console industry is tremendously competitive. One of their biggest opportunities is in networking games between consoles. Network access means exposure to network attacks. That coupled with the wide ownership of game consoles by hackers and you have an easy prediction for 2008. Vulnerabilities in game consoles will be exploited to spread malware.
-Richard Stiennon
Disclaimer: These predictions are my personal opinions. They in no way reflect the opinions of my employer or ZDNET.
July 20th, 2007
Last bastion of trust falls
IT security practices have always been dominated by trust, often myopically. Specialized applications are still deployed with the assumption that end users, be they customers, contractors, or employees, would not attempt to abuse that trust. Lexis Nexis fell victim to this trust as did Choicepoint when they assumed paying customers would not actually have criminal designs on their data.
Last week I pointed out that our most trusted employees, data base analysts, could have base motives as well. This misplaced trust is slowly succumbing to a trust-but-verify model where strict access controls and monitoring are used to minimize the internal threat.
Another layer of trust has recently been demonstrated to be dangerous. That is the trust in our communication infrastructure, in particular: voice. Obviously, any law enforcement agency can use legal means to tap a phone switch and record conversations if they have jumped through the right legal hoops. But what about an internal employee of the phone company? Can they program the phone switches to tap into our conversations? Would they do this?
Apparently so. In 2005 it came to light that a major breach in security had occurred and over one hundred phones of government officials, activists, and US embassy personnel had been tapped into and possibly all of their phone conversations recorded. Just imagine the rich fodder available to an extortionist or political operative that had access to those conversations!
There is now an entertaining article available at IEEE that details how this hack was achieved. It is one of the most sophisticated attacks that has ever been detailed to this extent. Over 6,500 lines of code were inserted into various modules that ran the Ericsson switches owned and operated by Vodaphone Greece. To me it has all the hallmarks of an insider job. The hackers were experts in switches, new how to cover their tracks, and quickly ran when they detected signs of being discovered. The fact that an employee was found hung in his apartment soon after the discovery of the hack is probably relevant as well.
“A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability to hackers and moles.”
The code used the modules that Ericsson ships with every switch that allows phone conversations to be tapped and split off to other phones. So, in this case the hackers were able to remotely monitor all the calls made by their targets and able to cover their tracks. And oh, by the way, Ericsson switch software is developed in ….Greece!
It is too bad, but Vodaphone opted to shut down the hack before they called in law enforcement, thus ruining any chance of tracking down the culprits. This is one of the most egregious instances of failed computer emergency response activity ever.
If you are responsible for internal security at your organization read this article. Then think about how you could avoid this level of sophistication in an attack. If you work at a phone company think about beefing up your monitoring of suspicious activity beyond just accounting.
In the mean time the rest of us can begin to worry that our conversations are being listened in on. Skype anyone?
July 17th, 2007
UTM in Asia
I have UTM on my mind. As I travel through Asia these two weeks I am meeting with journalists, analysts, and large telecom providers and they all want to debate UTM (Unified Threat Management). Of course the usual best-of-breed versus “suite” issue is raised often. But, the most common concern is just one of perception: that UTM is for small businesses that do not have IT security specialists that could configure firewalls, IPS, AV, URL blocking. Whereas, large enterprises with existing staffs are going to continue to invest in stand alone solutions.
My own explanation for the fact that the UTM concept is slow to be picked up in Asia is that the overall investment in multiple security devices has been slow so the arguments made in favor of combining functionality don’t work. UTM would mean adding *more* functionality, not consolidating existing security into one platform. But, as spam filtering becomes more important (Singapore just enacted their anti-spam act, Hong Kong is working on theirs) and as URL filtering becomes required to block threats, UTM will gain momentum.
Here is a great discussion on the drawbacks of multiple vendor UTM from a blogger who I met in Israel last February. Barry Shteiman points out that adding OEM’d components to a firewall platform (A la Cisco, Juniper, etc.) is inefficient and does not allow the UTM functions to work together. I like his discussion of “Real UTM”. By “real” he means really unified. But I do not think there is any sort of RFC or standard that could be developed that would allow the various UTM components to chatter amongst themselves to get to better security. Remember when Checkpoint created Opsec to allow various devices to interface with Checkpoint firewalls? No one ever wanted to turn on the ability to let the IDS device, for instance, block the source of an attack. The integration was at too high a level. It changed policies in the firewall. That introduced great Denial of Service opportunities and was too scary. Barry’s ideas line up pretty well with my article in SCMagazine last month. He even assumes advanced routing features in today’s UTM which is not a given.
The BIG opportunity in Asia right now is next generation managed services. More on that later.
-From Tokyo
And the obligatory disclaimer: I am in marketing
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
SponsoredWhite Papers, Webcasts, and Downloads
- Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
- Why Isn't Server Virtualization Saving Us More? A Few Small Changes May Dramatically Increase Your Efficiency VMware Companies have rapidly adopted server virtualization over the past few ... Download Now
- Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
Essential Topics 
Recent Entries
- Moving on
- Judge releases Wikileaks
- Oil field data loss just common theft
- Declan on Wikileaks
- Only 8,700 insecure ftp servers?
Blogs From Our Sponsors
Top Rated
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- New Online Dashboard for IT Leaders
-
Read about top issues IT decision-makers face every day, plus get cost-effective solutions to real-life IT problems.
- Learn more >>
- Keep Up With The Latest In Document Management with The DocuMentor.
-
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
- Learn more >>
- The more you simplify, the more you save
-
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
- Learn more >>
- The best support in the Linux business
-
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
- Learn more >>
Archives
Favorite Links
Blogroll
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Technology and the Global Supply Chain
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
White Papers, Webcasts, and Downloads
- Tom Davenport Study: Linking decisions and information for organizational performance IBM Tom Davenport's new client study looks at approaches to linking ... Download Now
- Unrivaled support from Novell, now available for Red Hat Novell If Linux is going to power your mission-critical applications, you'd ... Download Now
- File System Auditor Version 2.0.8 ScriptLogic File System Auditor? allows administrators to audit file access, generate ... Download Now
Popular Sanity Saver Videos
