Security

IT Security News: So much to tell, yet so little time

There's so much going on in IT security, I don't know which topic to write about first. So, I'm going to lightly touch on most of them and let you decide which ones are important to you.

With so many news items occurring at the same time, I feel like a kid in a candy store, totally paralyzed because I only get to pick one topic. My son in his infinite wisdom had the answer. Why not offer a glimpse of each topic along with links to more in-depth articles. I can get all the topics presented and you the readers can get more detailed information if you so choose.

BBC's botnet

In a somewhat controversial move the BBC's technology program Click purchased a botnet for educational purposes. I'm not sure if what they did was appropriate or not, I'll let you decide:

"Click managed to acquire its own low-value botnet after visiting chat rooms on the internet. The program did not access any personal information on the infected PCs.

If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals."

So what do you think? I'm not a lawyer, but there seems to be precedence that this may be illegal in some countries.

Monetize scareware

When I was writing about antimalware programs, several members commented about a specific malware called Vundo. Besides being difficult to remove, it was one of the first purposed to scare users into downloading fake security software such as XPAntiVirus2009.

I'm sorry, but Vundo just got nastier. A FireEye article titled "A new method to monetize scareware" explains once the new and improved Vundo gains a foothold on the victim's computer it encrypts personal data such as .doc and .pdf files, even image files. After which it opens a window hawking a program called FileFix Pro 2009 that coincidentally knows how to decrypt the files. There's a catch though, it's going to cost you. Alex Lanstein of FireEye mentions that:

"Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing."

If you know someone who has been caught by this, make sure to mention that FireEye provides a Web-based program that decrypts the files. Lanstein also points out:

"A whois on the IP of FileFixPro.com shows that it's hosted at ThePlanet, and you could have knocked me over with a feather when I found out its IP was registered to an organization out of the Ukraine."

I'm not sure why that was so much of a surprise, it's becoming commonplace to find malware servers residing there.

Facebook's public search listings

Researchers from the University of Cambridge have published a paper titled "Eight Friends are Enough: Social Graph Approximation via Public Listings" (pdf). Don't worry the title is scarier than the paper. In what I felt was a very understandable fashion the researchers explained that Facebook publicizes member information that can be mined by search engines such as Google.

To see what I mean, do a Web search using the string Facebook and the name of someone you know who's a member of Facebook. A Web page will open displaying the name and image of that person along with names and images of eight friends. According to Facebook's privacy policy this is the default configuration:

"Your name, network names, and profile picture thumbnail will be made available to third party search engines."

I've asked several people and none of them have opted out, actually none of them even knew this listing existed. I bet you're wondering why I'm concerned about this. Well, the researchers have developed a Web tool for crawling the entire Facebook Web site and it can determine all and any interconnections between members. As the researchers mention:

"Knowing who a person's friends are is valuable information to marketers, employers, credit rating agencies, insurers, spammers, phishers, police, and intelligence agencies, but protecting the social graph is more difficult than protecting personal data. Personal data privacy can be managed individually by users, while information about a user's place in the social graph can be revealed by any of the user's friends."

Another area of concern is that friendship information allows more targeted attacks; whether that be actual social interchanges or phishing e-mails that appear to be coming from a friend. The research paper further explains:

"Leaking friendship information leads to obvious privacy concerns. Social phishing attacks, in which phishing emails are forged to appear to come from a victim's friend, have been shown to be significantly more effective than traditional cold phishing.

Private information can be inferred directly from one's friend list if, for example, it contains multiple friends with Icelandic names. A friend list may also be checked against data retrieved from other sources, such as known supporters of a fringe political party."

So, you may want to opt out of Facebook's public search listing option.

MPLS backbone technology is hacked

DarkReading's Kelly Jackson Higgins has a very interesting article titled "Researchers To Unleash Backbone-Hacking Tools at Black Hat Europe". In the article Higgins mentions that two German researchers from the security firm ERNW Enno Rey and Daniel Mende developed attack tools that exploit security weaknesses inherent to Multiprotocol Layer Switching (MPLS) and Ethernet technologies.

MPLS is a very efficient protocol that big telcos such as AT&T and Orange Business Services use to push huge amounts of data around the world. In a nut shell, MPLS is a data-carrying mechanism with entrance/exit points called Edge Routers that act as gateways for traffic passing through the MPLS cloud.

In my work with MPLS, I always noticed the lack of concern for system security. Apparently the general consensus was that MPLS was impervious to attack so why waste bandwidth by adding security measures. I suspect that's about to change.

Conficker.E, yep a new variant

TrendMicro has determined computers infected with Conficker.C are receiving instructions and morphing. Interesting instructions to say the least, can you say Waledac and spam?

"Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about - these criminals are motivated by one thing: money.

In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue antivirus malware, too. See the screenshot below"

Brian Krebs of the Washington Post has two pertinent articles that also give credence to the fact that the botnet created by Conficker is going to be a money maker. Krebs mentions that the early variants of Conficker were making six figure monthly incomes in his article "Massive Profits Fueling Rogue Antivirus Market".

In his article "Conficker Worm Awakens, Downloads Rogue Anti-virus Software" Krebs points out that the latest version of Conficker is doing something similar by attempting to convince people they need SpywareProtect2009 a fake antivirus program.

Electrical grid and cyber attacks

This subject has been all over the news as of late. It started with the Wall Street Journal's article titled "Electricity Grid in U.S. Penetrated by Spies". As you can imagine the article created quite a stir with all sorts of innuendo and finger pointing, you know how it works. .

I'm somewhat concerned by the overall lack of evidence, using unnamed sources, and unsubstantiated accusations being presented in articles, like the Wall Street Journal's. I personally appreciated Larry Dignan's (Editor in Chief of ZDNet) article "Could cyber attackers bring down the U.S. electrical grid?" as it considered all aspects of the topic and contained credible sources. That's how it's supposed to work.

Others have noted this as well. For example, I read a SANS ISC article by Joel Esler titled "Electric Grid in US penetrated by Spies" where he points out something I was mulling around as well:

"According to a chart that is on the article, the number of reported cybersecurity breaches in the US has risen. Now, I look at this graph and I say to myself, "number of reported", not "number of actual". Meaning there were probably many more, and in previous years, not reported. So I take that graph with a grain of salt. However, it does make an important point.

Security awareness is very high right now, and a lot of money is being spent on it, according to the article "under the Bush Administration, Congress approved $17 Billion in secret funds to defend government networks. The Obama Administration is weighing whether to expand the program to address vulnerabilities in private computer networks."

I covered the expansion of authority that Esler was referring to in my article "Cyber security: Can the Senate make the Internet safe?" I'm not a conspiracy nut, but timing is everything in politics.

Final thoughts

See, there is a lot going on in the world of IT security. Hopefully I've increased awareness about most of the current issues. Truth be told, I'm still researching one topic that's very relevant, it even has intrigue. Think ghostbusters. More importantly, it's not predicated on FUD, sources are published, evidence is documented, and the research has been verified by different experts. Curious? Stay tuned.

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

48 comments
Jaqui
Jaqui

I bet, if the reporting is open to everyone, those numbers are fairly certain to be about the same. after all, how often have you had someone complain they have a virus / spyware ... when it's just a popup on a website telling them so? wanna bet those are reported as breaches in security by those same dimbulbs? :D

deepsand
deepsand

I've really no idea of whether or not such may have violated U.S. Law, let alone that/those of foreign States. However, unless it is demonstrated that someone experienced actual harm, or was put in imminent danger of such, I'd be hard pressed to accept that such act violated the [i]spirit[/i] of any reasonable Law. Within the world of business, many understand the value and importance of having their security measures tested by those skilled in the art. It is very much overdue that individuals learn the same.

deepsand
deepsand

Jumped from [b]C[/b] to [b]E[/b]???

Michael Kassner
Michael Kassner

There's a lot going on security-wise. Staying out of trouble is easier if you have the details. For instance, Vundo and Conficker are making moves that could affect you. Learn about the how and whys.

santeewelding
santeewelding

Meet Deepsand. Count your fingers. Master of the contained.

deepsand
deepsand

It obviously shows where the miscreant machines are located. But, what of those who control those machines? That, for example, many are located in China may be an artifact resulting from Chinese users being extremely lax with regards to the security of their machines, such that their machines are most susceptible to being used as zombies.

Michael Kassner
Michael Kassner

I was curious as to what you thought about the Facebook information?

Michael Kassner
Michael Kassner

Strange and difficult report to read. Not sure who or what to believe any more. I also am wondering if the right people are making the surveys, do they know what to look for. It's a bit scary.

Michael Kassner
Michael Kassner

I'd thought that you would have felt it to be an invasion of that person's privacy, interesting. Thanks for commenting, now I'm reassessing my position.

Michael Kassner
Michael Kassner

With you about this. If you read my last rant about how pathetic the malware naming system is, you'd know that I'm trying to get this improved. It's confusing enough, with just trying to deal with the actual problem.

search
search

Nice informative piece. I will definetly take it onbaord

seanferd
seanferd

I am particularly enjoying the "development" of the "conficker phenomenon". First, it took forever to get some number of users aware of the threat, then there was the hype combined with irrational fears of the malware, on to "was it just a bunch of BS", and finally we get Conficker doing business, after a lot of people have said "pfft". It would be funny if the problem weren't serious, and if I hadn't seen this pattern a million times before. I see the SCADA problem following the same path. Utilities have been warned repeatedly, but now we jump straight to "The grid has been hacked by Russians and Chinese", with absolutely no evidence whatsoever. While I don't doubt that governments, patriots, and enthusiasts break in to these and other critical systems, this certainly is not a new thing. I'm curious as to the reason for the appearance of this hyped story at this time.

deepsand
deepsand

But, in deed? Or, in word alone.

Jaqui
Jaqui

"social networking" sites like facebook are designed to expose connections, that is their reason for being. the fact they didn't add the coding needed to allow the opt out of exposure to include "connections" you have made is just par for their operational model. It also makes sense when you look at the sheer size of their database, searching every connection for a display publicly or not option would carry a massive server load. These sites are slow enough they don't need that extra server load slowing them down even more.

dixon
dixon

...but two things seem clear: Assante is pretty frustrated, and we should be worried.

deepsand
deepsand

However, given that those who give insufficient attention to computer security stand as a grave threat to all, and, in so doing, violate the rights of all, I must hold that all have a right to take steps to diminish such threat. The right to swing ones fist ends where the nose of another begins.

deepsand
deepsand

Conficker.C had been various named, by various security firms, as 1) Win32/Conficker.D (MS OneCare); 2) W32/Confick-G (Sophos); and 3) Trojan.Win32.Pakes.ngs (Kapersky)

santeewelding
santeewelding

Involving human duplicity, the first casualty is...naming conventions.

Michael Kassner
Michael Kassner

Any special part that stood out? Would something like this be helpful if it was published on a regular basis?

Michael Kassner
Michael Kassner

I know several EEs that work for power companies. They laugh uncontrollably when I ask about being owned. They work with have would be considered "dark ages technologies" and that was backed up by Dignan's article. Which ironically is a good thing in this situation. What scares the H*** out of me is this maybe a scam by the .govs to get more control.

Michael Kassner
Michael Kassner

I suspect some there will be some stimulus money spent.

Michael Kassner
Michael Kassner

A TCP/IP exchange constitutes an exchange of information.

jturner
jturner

it strikes me more like unsecured wireless, it isn't illegal to connect to it and use their internet, but the second you start looking at their files or hacking there computer you start entering the illegal side of it, the botnet file itself isn't the problem it is what is done with it, and like the wireless if you take steps to protect yourself they can't put it there in the first place. I'm not advocating this practice but if you want to go after them for just having the botnet, then you are going to have to sacrifice a lot of other liberty?s to go after them.

Michael Kassner
Michael Kassner

I tend to lean toward individual rights over-ruling the majority. If only because the tipping point is against that viewpoint and I use it to even up the odds so to speak. Your comment: "The right to swing ones fist ends where the nose of another begins." Really confuses me as that's what I would propose and not what you suggested in your previous comment. You initially said that allowing outside intervention to alter an individual's property without their permission was acceptable. On that point, I respectfully disagree. I also wanted to ask a question hoping for a positive outcome. How are you feeling? Better I hope.

Michael Kassner
Michael Kassner

I was curious about that as well. It's not in any of my several on line and IT dictionaries. Cool, a new word.

deepsand
deepsand

The fly in the ointment, though, is that, while botanists, zoologists, etal. have a vested interest in using a common taxonomy, vendors of security products have a greater interest in promoting their own products over those of their competitors. It is much easier for non-profit entities to co-operate than it is for for-profit ones.

dixon
dixon

...something like this: http://www.iczn.org/What_we_do.htm Since people didn't get around to systematically naming plants and animals until the 1700s, maybe malware's too new a reality to be treated like that yet.

deepsand
deepsand

So, I'm lost as to how [i]Kingdom[/i]might "equate to 'malicious software'." My point was that, since each security firm acts independently, and in a competitive market place, each does in fact employ its own taxonomy, such that we have a multitude of taxonomic conventions, thus effectively placing the [i]Company[/i] at the very top; i.e., in the [i]Kingdom[/i] position.

Michael Kassner
Michael Kassner

Keep it going, may be we can figure out how the big guys should be naming these things.

dixon
dixon

...but couldn't 'kingdom' equate to 'malicious software'? I know, first we'd have to have a Supreme Naming Authority or something.

dixon
dixon

...ought to work: kingdom --> phylum --> order --> family --> genus --> species --> variety. At least folks might be on the same page with that approach. I always knew forestry school would prove useful, someday.

deepsand
deepsand

To do so would be to allow that the party to 1st discover may in some way be superior. The competitive nature of the businesses won't allow that.

Michael Kassner
Michael Kassner

Else where in the scientific world, naming isn't that difficult. Why can't it be so for this. Let the party that initially found the piece of malware name it, but still base the name on set guide lines.

deepsand
deepsand

could have been designated Conficker [b]E[/b] by anyone!

Michael Kassner
Michael Kassner

Major hit points as it gets more and more confusing the longer a piece of malware exists, just from the number of different names it accrues.

santeewelding
santeewelding

I find it relevant and an effective use of electrons.

Michael Kassner
Michael Kassner

Some call it a fault of mine. I have absolutely no idea how to tell a non-truth. It's too complicated. Besides, I value your opinion. So was this article relevant or did I waste electrons?

santeewelding
santeewelding

the first casualty is truth." Or so goes one version. There are more. "In war, law takes a vacation." And the old standby, "Assume nothing. Question everything."

Michael Kassner
Michael Kassner

I'm not following you. Are you referring to the travesty they call malware nomenclature? If not I missed something and that scares me a lot more.

seanferd
seanferd

I can see several parties with interests: -Gov wants more control -Other people who want the gov to take control -People or utilities who want gov money -Yer average fear-mongers looking to attack or discredit other countries, the gov't, peace-niks, whatever the flavor of the day is. edit: A lot of my prior reading about SCADA systems security was at DarkReading, although I haven't followed a lot of recent material, I did like the take in "WSJ's 'meatless' spies story". http://darkreading.com/TechSearch/Search.jhtml;jsessionid=PW1XYWG5BLTRMQSNDLPSKH0CJUNN2JVN?personality=category&search=Go&queryText=SCADA