December 19th, 2007

First prediction for 2008 to come true

Posted by Richard Stiennon @ 10:22 am

Categories: Security blog

Tags: Google Inc., Orkut.com, Social Networking, Online Communications, Marketing, Advertising & Promotion, Richard Stiennon

Google’s social network, Orkut, has been attacked by a worm that uses “scrap book” messages to propogate. It’s only action is to spread and add Orkut members to a group called “infected by the Orkut virus.” according to this IDG news article.

From the blogger that is covering this, Kee Hinkley:

You get an email notification (or find out on Orkut) that you have a new scrapbook entry. It’s from a friend. It says.

2008 vem ai… que ele comece mto bem para vc

There’s no need to click on anything, just viewing it does the trick. The scrap deletes itself, and adds you to the Orkut Community “Infectados pelo Vírus do Orkut”. That group, as I write this, is gaining members at a rate of at least one hundred per minute.

Let’s see, that was my first and second predictions for 2008, that social networks will be attacked. Luckily this attack took the form of a benign hack to demonstrate a vulnerability (much more effective then publishing a Top Ten Threats list!).

More to come of course….

Update 13:30 Pacific. More technical details of the Orkut virus here.

December 17th, 2007

Hacking as a competitive edge in the Olympics

Posted by Richard Stiennon @ 9:42 am

Categories: CyberCrime, Data Security, State Sponsored Hacking

Tags: Olympic Games, Information Technology, Hacking, Security, Richard Stiennon

Until this morning I had no idea what my 500th blog post would be about. Should I once more rant about how security awareness training is not worth the cost of the posters?(post 184, Dangerous Meme) Do I need to point out one more time how Network Admission Control is, if anything, plain crazy (the now infamous Kocking CNAC post 28)? Should I extrapolate on how the perimeter is alive and well (De-perimeterization is Dead post 479)?

No, it has to be Chinese hacking. Many security industry people have been in some way connected to the 2008 Olympic Games over the years. I first met with the IT folks responsible for “securing” the Beijing Olympics back in 2002. The concern expressed then was over protecting real time reporting of scores; hackers could some how interfere with those and skew results. But now it turns out that the real story is the pre-game invasion of sports teams’ IT systems with the goal of garnering critical information on training, performance, and other physical factors such as weather for sailing teams.

From an article that just appeared in the TimesOnline:

The first sport targeted was GB Canoeing, which was hit in October. The other Olympic sports in Britain were immediately informed, but the IT system of the Amateur Boxing Association of England (ABAE) was then subject to eight attacks over a three-week period and two investigations have traced all this activity back to internet protocol (IP) addresses in China. “This wasn’t kids mucking around,” Paul King, the ABAE chief executive, said. “This was a real professional job.”

There is a lot of evidence mounting that state sponsored hacking is being used by China to gain a competitive informational edge on Western nations (post 473). Is that type of behavior spilling over to the sports arena? Evidently.

I have a feeling this will not be my last post on Chinese hacking.

December 12th, 2007

US Government leadership in cyber security lacking

Posted by Richard Stiennon @ 5:29 pm

Categories: CyberCrime, State Sponsored Hacking

Tags: Crime, Leadership, Cyber Security, U.S. Government, Richard Stiennon

I see that the US assistant secretary of the national cyber-security division of the Homeland Security Department addressed the New York City Metro InfraGard. His remarks are disturbing to me because the reflect a growing (continuing?) cluelessness within the US government on cyber security matters.

A quote from the article:

“You all know our adversaries will stop at nothing to destroy the infrastructures we all work so hard to protect. … We’re all at risk, we’re all responsible. and there’s much more we have to do to protect our critical systems,” Garcia said. “New York is the world’s financial nucleus. … As Wall Street goes, so does the rest of the economy.”

Talk about spreading fear uncertainty and doubt (FUD). First off, what “adversaries” is he talking about? Cyber criminals? They certainly do not want to damage our infrastructure. Terrorists? Well if our infrastructure is so vulnerable what has stopped them from attacking it so far? Obviously something has because I do not dispute the vulnerability of our infrastructure.

While on the subject of cyber crime look what the assistant secretary has to say:

Garcia said there is a $100 billion market for cyber crime — more than the illegal drug market.

I wish I could learn how to harness the power of a meme for marketing purposes. This particular idea, that cyber crime exceeds the drug trade, needs to be killed before it does serious damage. The very least I can do is expose the stupidity behind it. In this way my readers can identify clueless spokespeople whenever they attempt to propagate this idea.

First some history. I have blogged about this before,and here. And most recently when the CEO of McAfee used it. It all started at a security conference in Ryadh of all places. One Ms Valerie McNiven, a one time consultant to the US Treasury Department stated:

“Last year (2004) was the first year that proceeds from cyber-crime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion,”

Well, when I dig in to it I find numbers for the global drug trade in excess of $400 billion. Think of it. All of Afghanistan’s economy is fueled by the drug trade. Most of Columbia likewise. To give you a sense of perspective the US Drug Enforcement Agency’s budget is $42 BILLION. Imagine a Cyber Crime Division of the US with a $42 Billion budget. Is that what Mr. Garcia is angling for?

Yes, cyber crime is a serious problem. But a $100 billion problem? I think not. Yes it is growing rapidly, yes we are vulnerable. But comparing cyber crime to the illegal drug industry is foolish at best, criminally misleading at worst.

December 11th, 2007

Those clever 419'ers

Posted by Richard Stiennon @ 6:52 am

Categories: CyberCrime, Stupid Criminal stories

Tags: Technique, E-mail, Productivity, Online Communications, Richard Stiennon

It had to happen. In this latest technique scammers hack into someone’s email account and send emails to friends asking for money. In this case a professor in Calcutta’s account was compromised. The scam artists sent email to a business associate asking for $2,500 so he could get out of a hotel in Nigeria. (Hello??? Nigeria?? That should set off alarm bells with anyone who has been using the Internet for more than, oh about 15 seconds.)

Stiennon’s simple rule for never getting scammed: Don’t send money. Period. Just don’t.

The 419′ers deserve this treatment.

December 10th, 2007

Haephrati technique used to crack US research lab

Posted by Richard Stiennon @ 9:13 am

Categories: Data Security, State Sponsored Hacking

Tags: Technique, New York Times Co., Attack, Homeland Security, Nanotechnology, Wiki, Security, Government, Emerging Technologies, Online Communications

The New York Times is reporting that they obtained a copy of a report from US-CERT that attacks eminating from Chinese IP addresses successfully targeted employees of Oak Ridge National Laboratory in Tennessee. In addition to research in energy, nanotechnology and “isotope production”, Oak Ridge

provides federal, state and local government agencies and departments with technology and expertise to support national and homeland security needs. This technology and expertise is also shared with industry to enhance America’s economic competitiveness in world markets.

According to Wikipedia.

The attacks took the form of up to seven carefully crafted emails sent to internal addresses that induced employees to open attachments or click on links that installed Trojans that could steal information. Sound familiar? Remember the Israeli Trojan fiasco using Michael Haephrati’s crimeware?

I would expect by this time that all US research facilities would be protected from malicious downloads and should certainly not allow the transfer of information from a user’s machine to an untrusted site. I guess there is a large gap between my expectations and reality.

December 4th, 2007

Ten threat predictions for 2008

Posted by Richard Stiennon @ 3:29 pm

Categories: Bank security, CyberCrime, Data Security, SOA, Security Industry News, Spyware, State Sponsored Hacking

Tags: Game, Google Inc., Facebook, Console, Network, Stock, Google OpenSocial, Game Console, Storm Trojan, Game Console Industry

It is that time of year again. Time to publish my predictions for 2008.

ThreatChaos Predictions for 2008

1. Facebook widgets will be used to distribute malware. Facebook, the hugely popular social networking site with millions of users has recently introduced the ability of users to create and publish small applications, widgets. These applications could be for just about anything. I have seen one that asks you to compare your friends in a “hot or not” like manner. Another, a simple game, is a blatant rip-off of Scrabble. Facebook hosts these applications and makes it possible for users to share and interact with them. In 2008 we will see attempts to exploit Facebook through these widgets. It could be through a vulnerability in an existing application that could for instance allow the download of a malicious Trojan. Or, it could be a new application deployed to steal information or infect visitors’ computers.

2. Google’s just announced OpenSocial is an attempt to break the strangle hold that MySpace, Facebook, and LinkedIn are attempting to establish with their user bases. OpenSocial is a set of tools meant to allow developers to create social network applications that can cross the boundaries of proprietary systems. Imagine a mash-up between your Linkedin network and your Salesforce.com database. While OpenSocial promises great rewards in increased networking functionality it opens up risks for exploitation. In 2008 we will see the first attempts to exploit Open Social tools to hack social networks.

3. Salesforce.com AppStore will be involved in a data loss incident. In 2007 we saw the first targeting of Salesforce.com (SFDC) through phishing attacks. Once a user’s credentials where stolen they were used to gain access to their database of contacts who were then spammed. Imagine the power of a SFDC application that is maliciously used to steal information from those who use it. I predict that 2008 will be the year that SFDM applications will be exploited for nefarious purposes.

4. China will continue to have its way with other nation’s critical information. In 2007 we learned that attacks emanating from the Chinese military had penetrated the German Chancellery, England’s Whitehall and the Pentagon. 2008 will see a continuance of China’s attacks on Western governments and industry. More penetrations of government agencies will be uncovered and publicized.

5. Ex-Soviet states will continue to snipe at each other using the weapons of cyber-extortionists: Distributed Denial of Service Attacks, the tactical nukes of the digital era. In May of 2007 a political dispute over a war memorial in Estonia escalated to a full fledged cyber attack against Estonia encouraged by the Putin regime. I predict that Russia will continue to use their newfound ability to use cyber extortionists’ tools to impose their political will on break away states.

6. Cyber crime will get up close and personal. Targeting will become the most profitable means of attack for the cyber criminal. In 2007 Igor Klopov, a 24 year old Russian, used the Forbes list of wealthiest Americans to choose a target billionaire in Texas. More companies and individuals will find themselves the targets of hackers in 2008.

7. Financial markets will be disrupted by increasingly elaborate schemes: pump and dump combined with DDoS for instance. One scenario that could play out: Hackers use phishing attacks to gain access to online brokerage accounts. They liquidate the victim’s stock portfolio and buy short positions in some other stock. They then execute a massive denial of service attack against the company behind that stock and redeem their positions when the stock tumbles.

8. The world learns what the Storm Trojan is for. The Storm Trojan is one of the most sophisticated pieces of malware ever. It has defensive abilities that are used to try to shut down researchers. To date it has not been used but its huge distribution, possibly more than 50 million instances, could be a one of the most disruptive weapons ever deployed on the Internet. In 2008 we will learn just what the Storm Trojan is meant to do.

9. Terrorist organizations bring out DDoS as a weapon against e-commerce and media sites that choose to display images of Mohamed. This actually first occurred in December 2006 but the site involved chose not to publicize the incident. Imagine what would happen if a site started selling plush toys bearing the names of various prophets? Watch for it in 2008.

10. Game console exploits will be transmitted over the Internet, the Wii in particular. The game console industry is tremendously competitive. One of their biggest opportunities is in networking games between consoles. Network access means exposure to network attacks. That coupled with the wide ownership of game consoles by hackers and you have an easy prediction for 2008. Vulnerabilities in game consoles will be exploited to spread malware.

-Richard Stiennon

Disclaimer: These predictions are my personal opinions. They in no way reflect the opinions of my employer or ZDNET.

December 2nd, 2007

Secondlife: A+ for proactive security

Posted by Richard Stiennon @ 2:12 pm

Categories: Cool Companies, Data Security, SOA

Tags: Software, Security, Digg, Apple QuickTime, Bug, Site, Secondlife, Karma, Social Networking, Tools & Techniques

Backgound: Secondlife is a way cool immersive virtual world with millions of subscribers created by Linden Lab. It is a bit beyond the flat 2-D worlds of Myspace and Facebook. It allows users to interact with 3-D avatars. You can purchase property, build on it and offer up videos.

The folks at Secondlife have posted a warning to their blog that there is a bug in the way Quicktime runs streaming video within the Secondlife “viewer” (client software). The bug could crash the viewer. What I find interesting is that Secondlife can monitor all of the content on their “grid” or virtual world and alert their users if an exploit has been developed. For now they suggest not running Quicktime accept when visiting known areas within Secondlife. Kudos to Linden Lab for pro-actively alerting users to this threat.

Even though I predict that there will be many attempts to exploit social networking sites in 2008 I believe the sites have a different opportunity than traditional software companies. Because they control the real-time use of their software they can update it and protect it in real time. An interesting difference is that their responsibility for disclosure is not the same. Say a site like Digg is compromised by a security researcher that notifies them that, for instance, he can escalate his position by earning as much karma as he wants. Karma is good at these sites. A high Karma poster can get links to the front page of Digg immediately, which can mean over 100,000 hits for the lucky site. Digg can thank the researcher, fix the bug and move on. I believe they would not be obligated to report the bug unless it had been actively exploited.

While software as a service (SaaS) sites will be rife with bugs and social networking sites are happy hunting grounds for info thieves there is hope that these sites will be faster to respond and repair when attacks develop. Secondlife’s response to this Quicktime bug is a great example of security responsiveness.