IT Security News: So much to tell, yet so little time

There's so much going on in IT security, I don't know which topic to write about first. So, I'm going to lightly touch on most of them and let you decide which ones are important to you.

With so many news items occurring at the same time, I feel like a kid in a candy store, totally paralyzed because I only get to pick one topic. My son in his infinite wisdom had the answer. Why not offer a glimpse of each topic along with links to more in-depth articles. I can get all the topics presented and you the readers can get more detailed information if you so choose.

BBC's botnet

In a somewhat controversial move the BBC's technology program Click purchased a botnet for educational purposes. I'm not sure if what they did was appropriate or not, I'll let you decide:

"Click managed to acquire its own low-value botnet after visiting chat rooms on the internet. The program did not access any personal information on the infected PCs.

If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals."

So what do you think? I'm not a lawyer, but there seems to be precedence that this may be illegal in some countries.

Monetize scareware

When I was writing about antimalware programs, several members commented about a specific malware called Vundo. Besides being difficult to remove, it was one of the first purposed to scare users into downloading fake security software such as XPAntiVirus2009.

I'm sorry, but Vundo just got nastier. A FireEye article titled "A new method to monetize scareware" explains once the new and improved Vundo gains a foothold on the victim's computer it encrypts personal data such as .doc and .pdf files, even image files. After which it opens a window hawking a program called FileFix Pro 2009 that coincidentally knows how to decrypt the files. There's a catch though, it's going to cost you. Alex Lanstein of FireEye mentions that:

"Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing."

If you know someone who has been caught by this, make sure to mention that FireEye provides a Web-based program that decrypts the files. Lanstein also points out:

"A whois on the IP of shows that it's hosted at ThePlanet, and you could have knocked me over with a feather when I found out its IP was registered to an organization out of the Ukraine."

I'm not sure why that was so much of a surprise, it's becoming commonplace to find malware servers residing there.

Facebook's public search listings

Researchers from the University of Cambridge have published a paper titled "Eight Friends are Enough: Social Graph Approximation via Public Listings" (pdf). Don't worry the title is scarier than the paper. In what I felt was a very understandable fashion the researchers explained that Facebook publicizes member information that can be mined by search engines such as Google.

To see what I mean, do a Web search using the string Facebook and the name of someone you know who's a member of Facebook. A Web page will open displaying the name and image of that person along with names and images of eight friends. According to Facebook's privacy policy this is the default configuration:

"Your name, network names, and profile picture thumbnail will be made available to third party search engines."

I've asked several people and none of them have opted out, actually none of them even knew this listing existed. I bet you're wondering why I'm concerned about this. Well, the researchers have developed a Web tool for crawling the entire Facebook Web site and it can determine all and any interconnections between members. As the researchers mention:

"Knowing who a person's friends are is valuable information to marketers, employers, credit rating agencies, insurers, spammers, phishers, police, and intelligence agencies, but protecting the social graph is more difficult than protecting personal data. Personal data privacy can be managed individually by users, while information about a user's place in the social graph can be revealed by any of the user's friends."

Another area of concern is that friendship information allows more targeted attacks; whether that be actual social interchanges or phishing e-mails that appear to be coming from a friend. The research paper further explains:

"Leaking friendship information leads to obvious privacy concerns. Social phishing attacks, in which phishing emails are forged to appear to come from a victim's friend, have been shown to be significantly more effective than traditional cold phishing.

Private information can be inferred directly from one's friend list if, for example, it contains multiple friends with Icelandic names. A friend list may also be checked against data retrieved from other sources, such as known supporters of a fringe political party."

So, you may want to opt out of Facebook's public search listing option.

MPLS backbone technology is hacked

DarkReading's Kelly Jackson Higgins has a very interesting article titled "Researchers To Unleash Backbone-Hacking Tools at Black Hat Europe". In the article Higgins mentions that two German researchers from the security firm ERNW Enno Rey and Daniel Mende developed attack tools that exploit security weaknesses inherent to Multiprotocol Layer Switching (MPLS) and Ethernet technologies.

MPLS is a very efficient protocol that big telcos such as AT&T and Orange Business Services use to push huge amounts of data around the world. In a nut shell, MPLS is a data-carrying mechanism with entrance/exit points called Edge Routers that act as gateways for traffic passing through the MPLS cloud.

In my work with MPLS, I always noticed the lack of concern for system security. Apparently the general consensus was that MPLS was impervious to attack so why waste bandwidth by adding security measures. I suspect that's about to change.

Conficker.E, yep a new variant

TrendMicro has determined computers infected with Conficker.C are receiving instructions and morphing. Interesting instructions to say the least, can you say Waledac and spam?

"Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about - these criminals are motivated by one thing: money.

In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue antivirus malware, too. See the screenshot below"

Brian Krebs of the Washington Post has two pertinent articles that also give credence to the fact that the botnet created by Conficker is going to be a money maker. Krebs mentions that the early variants of Conficker were making six figure monthly incomes in his article "Massive Profits Fueling Rogue Antivirus Market".

In his article "Conficker Worm Awakens, Downloads Rogue Anti-virus Software" Krebs points out that the latest version of Conficker is doing something similar by attempting to convince people they need SpywareProtect2009 a fake antivirus program.

Electrical grid and cyber attacks

This subject has been all over the news as of late. It started with the Wall Street Journal's article titled "Electricity Grid in U.S. Penetrated by Spies". As you can imagine the article created quite a stir with all sorts of innuendo and finger pointing, you know how it works. .

I'm somewhat concerned by the overall lack of evidence, using unnamed sources, and unsubstantiated accusations being presented in articles, like the Wall Street Journal's. I personally appreciated Larry Dignan's (Editor in Chief of ZDNet) article "Could cyber attackers bring down the U.S. electrical grid?" as it considered all aspects of the topic and contained credible sources. That's how it's supposed to work.

Others have noted this as well. For example, I read a SANS ISC article by Joel Esler titled "Electric Grid in US penetrated by Spies" where he points out something I was mulling around as well:

"According to a chart that is on the article, the number of reported cybersecurity breaches in the US has risen. Now, I look at this graph and I say to myself, "number of reported", not "number of actual". Meaning there were probably many more, and in previous years, not reported. So I take that graph with a grain of salt. However, it does make an important point.

Security awareness is very high right now, and a lot of money is being spent on it, according to the article "under the Bush Administration, Congress approved $17 Billion in secret funds to defend government networks. The Obama Administration is weighing whether to expand the program to address vulnerabilities in private computer networks."

I covered the expansion of authority that Esler was referring to in my article "Cyber security: Can the Senate make the Internet safe?" I'm not a conspiracy nut, but timing is everything in politics.

Final thoughts

See, there is a lot going on in the world of IT security. Hopefully I've increased awareness about most of the current issues. Truth be told, I'm still researching one topic that's very relevant, it even has intrigue. Think ghostbusters. More importantly, it's not predicated on FUD, sources are published, evidence is documented, and the research has been verified by different experts. Curious? Stay tuned.

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox