Discussion on:
View:
Show:
The value to black hat people is intellectual or funny sence of humour or commercial advertising data farming or financial blackmail or political or hate of an organization. viruses or trojons or spy bots are the ones that cost me the most system down time because I'm not rich, not a large company, not part of a government or military defence organganisation. I think that sales and marketing are responsible for indirect funding of intrusive spy bots because they purchase any data harvested for their commercial use. Why do banks, games companies and utility companies collect sensitive information and then store this data on insecure databases?
What about all of the systems that are hacked and compromised without the user ever knowing it? Those of us who work in the trenches see this all the time. In my experience, the average Internet user often does not know when his or her computer has been compromised. We are encountering more and more malware that uses clever technical as well as social engineering mechanisms to either go undetected, or unrecognized as malicious by the end user.
To me, this is where our concern should be concentrated.
To me, this is where our concern should be concentrated.
Equally important assumption, unsupported by numbers, given the nature of the beast.
No assumption is made of how many are unknowingly hacked, that's his question.
I have said several times that I am not aware of any hacking on my system, but at the same time, I think that a hacker would be very disappointed in his finds.
I have said several times that I am not aware of any hacking on my system, but at the same time, I think that a hacker would be very disappointed in his finds.
I see this argument all the time. User is hacked and he doesn't even know he's hacked. Isn't this the same as claiming that we are battling an invisible unmeasurable phenomenon?
Well we can't know the extent but we can know it is large.
From network logs we can say there are many machines sending spam and denial of service attacks without users knowing and often from corporate networks. I see them on my tiny network every day. This is also why a few stupidly run mail servers block emails from dsl connections rather than checking for mx records and networks with mail servers and Windows machines are advised to block outgoing port 25 connections.
All of these machines could be used to grab banking details but then you would find out and maybe they would wait atleast 6 months to get spam or encryption key processing first anyway.
In other words they may well use the lower hanging fruit to go after bigger fruit, i.e. attacks during Denial of service attacks from all of these compromised machines.
From network logs we can say there are many machines sending spam and denial of service attacks without users knowing and often from corporate networks. I see them on my tiny network every day. This is also why a few stupidly run mail servers block emails from dsl connections rather than checking for mx records and networks with mail servers and Windows machines are advised to block outgoing port 25 connections.
All of these machines could be used to grab banking details but then you would find out and maybe they would wait atleast 6 months to get spam or encryption key processing first anyway.
In other words they may well use the lower hanging fruit to go after bigger fruit, i.e. attacks during Denial of service attacks from all of these compromised machines.
All of my research has shown the number of infected computers is no where near the two billion computers in use on the Internet. That is a tribute to people -- such as yourself -- who are tirelessly working to keep the percentage low.
My research -- with regards towards this article -- still shows that the number of computers left alone is significantly more than those attacked.
It's obvious. Predicting target selection needs to take the attacker's goal into account.
Of course, not all goals are the same, so one should never use that as an excuse to be lax about security. You may be safe due to a lack of malicious security cracker interest in you today, but tomorrow some other malicious security cracker might come along who has different goals -- or maybe a way to make exploiting your security weaknesses "cheaper" so that suddenly your piss-poor password is so easy to crack that your relatively low target worth is still profitable. Automation works wonders for such things, and automation is what computers do.
The insight that (often average) value determines the most tasty targets is descriptive, and not prescriptive. Just as we should be unpredictable when establishing our defenses, we should realize that malicious security crackers will aim to be unpredictable when planning their own strategies. Secure yourself to the reasonable best of your ability, or you might be the first target in a new attack strategy.
Of course, not all goals are the same, so one should never use that as an excuse to be lax about security. You may be safe due to a lack of malicious security cracker interest in you today, but tomorrow some other malicious security cracker might come along who has different goals -- or maybe a way to make exploiting your security weaknesses "cheaper" so that suddenly your piss-poor password is so easy to crack that your relatively low target worth is still profitable. Automation works wonders for such things, and automation is what computers do.
The insight that (often average) value determines the most tasty targets is descriptive, and not prescriptive. Just as we should be unpredictable when establishing our defenses, we should realize that malicious security crackers will aim to be unpredictable when planning their own strategies. Secure yourself to the reasonable best of your ability, or you might be the first target in a new attack strategy.
because it was appended to a spam message.
Did you see my response? About how it feels like some kind of roll-back - perhaps a load-balancing buffer that is dumped out if the back-end finds it to be mostly spam...?
Did you see my response? About how it feels like some kind of roll-back - perhaps a load-balancing buffer that is dumped out if the back-end finds it to be mostly spam...?
I saw it in an email alert.
I wasn't talking about parts of spam subthreads, though. I was talking about interesting discussions where I respond to someone like Sterling, and I can't get the damned thing to keep my comment when I click the submit button. It just vanishes entirely, as if I had never written it, far too often.
I wasn't talking about parts of spam subthreads, though. I was talking about interesting discussions where I respond to someone like Sterling, and I can't get the damned thing to keep my comment when I click the submit button. It just vanishes entirely, as if I had never written it, far too often.
the spam subthread thingie is a known feature, it's not related to what I am talking about.
I've started discussions, seen them grow to small threads (so definitely there, and there for others too), then *poof* all gone.
That's what makes me think of what it looks like when a system is restored to an earlier state, everything newer is gone like it never happened.
I've started discussions, seen them grow to small threads (so definitely there, and there for others too), then *poof* all gone.
That's what makes me think of what it looks like when a system is restored to an earlier state, everything newer is gone like it never happened.
That doesn't explain why I can, for instance, have a post disappear, post something different (and essentially contentless) and have it appear and remain, then post another thing meaningful and have it disappear, all at the same response depth. It also doesn't explain why, if I post something meaningless, then edit it to be something meaningful, the edit might cause it to disappear -- not to revert to its previous state, but to disappear -- and for things posted later at the same response depth to still be there.
in a few other otherwise-reconcileable debates around here lately! For the time being, at least, it seems that the less relevant the content, the greater the likelihood a comment will post. Murphy....
invariably the tone of a response gets chillier, and the wordings more simple, the more times the poster had to write it out before it stuck.
This discussion has been taken to The Water Cooler / View thread
An obvious one was a question answered by Col, which disappeared for a day or so, then came back. I've also had a post apparently not post in the first place, but it showed up some 30-ish hours later.
How would anyone know that you exist on the internet? You would have to visit a compromised website or post something publicly. I would imagine that entering in banking information would be the most likely way that someone would want to intercept your data. This is why you don't want to do your banking from a public wifi.
If, for example, I only used the internet to read this website (Techrepublic) then this website would have to be itself compromised to expose more information than I give out about myself. But then what? I think that "hacking" is more difficult than most realize.
I install programs on my computer occasionally and have trouble getting them to work. Conflicts with my other hardware and software are pretty common. It would be even more difficult to get something to work remotely on a system where you cannot be sure of all of the software and hardware that they are running.
If, for example, I only used the internet to read this website (Techrepublic) then this website would have to be itself compromised to expose more information than I give out about myself. But then what? I think that "hacking" is more difficult than most realize.
I install programs on my computer occasionally and have trouble getting them to work. Conflicts with my other hardware and software are pretty common. It would be even more difficult to get something to work remotely on a system where you cannot be sure of all of the software and hardware that they are running.
If it's not too prohibitive, the attacker can use the shotgun approach or as Ansu pointed out a botnet. Find a vulnerability, then decide if the ROI is worth the effort.
of course the goal of the cracker can change every technique, but in a banking heist; the cracker simply waits until his console alerts him of a cracked PC account that is opening an SSL session, for example. He can then decide which target deserves personal interference to the target. He may then start a RDP session to see what is going on, or he may even have sophisticated enough malware, that can provide more surveillance data, to aid in the selection process.
For successful man-in-the-middle attacks, he can wait until the alert shows he's in the middle of the session, and then take control. With the new Zues variants, it gives the criminal a lot of leeway to assess the target. The malware does, almost all the work until the last second.
I don't think the costs are too prohibitive for these criminals, as they acquire their targets from huge data bases of pwned targets, and only have to wait until one of them pays off, which is probably enough to at least get him to check his console every so many minutes. The work may be long and tedious, but if you are an over educated technician in the eastern European former Soviet bloc with no job; time you got plenty of.
The costs of buying the bot-net time to attack your targets, and service space for command and control, and the Zues kits are not terrible expensive, and usually paid for in misbegotten credit card numbers anyway. It is not unusual for a cracker to buy C&C space from a disreputable server farm for 19 dollars for three months temporary service(another example). This small price is paid for by credit card numbers stolen from online vendors who have poor security for their customers. They probably do this far in advance to keep themselves in control for at least a year in advance. They will be hard to find running this way changing every three months or less; and that is only if an investigator finds his bot net space and detects the control sessions. As complicated as this sounds, a cracker has nothing but time to sit and smoke and think up ways to avoid prosecution, and evade data and web detection. This process is getting easier for the crooks as their are actually services that do nothing but that for them, including selling card numbers that have already been stolen, and are ready for picking. It is becoming a freaking organized industry all the way. Advertising for money mules is probably the largest expense, but who says that isn't payed for in similar manner? I must admit this is the only part I haven't seen as a business service for criminals yet.
I am learning a lot about things like this, because I had a small amount of money stolen from one of my vendors, and the crook did just that - bought three month of server space from a fishy web-server farm. It was hard to find out just where this farm was too, because the information at the site was all a lie - of course. I turned the domain name and information into the FBI, but they don't personally look at any case under $5000 dollars anyway. I'm sure they crunch the numbers to gain an over view of the nature of web/banking crime.
Maybe not everyone gets hacked personally, but I am sure a huge number get hacked by breaking and entering poorly secured POS systems, and businesses, both brick and mortar, and online, whose customer data bases are compromised and the merchant/vendor either ignore it, or are totally unaware of it.
Thanks to a tip from you Michael I was able to finger the merchant who was compromised, by redoing my account with an online secure account number; and this closed the trap on their bad business practices. I notice they got bought out recently - probably because of too many lost customers, or pending law suits!
Is everyone getting hacked? Shoot who knows? How would you know your purchase at Wally World was compromised, and is paying for the expense to attack your bank account and rob you blind? The only way for everyone to avoid this is to go back to a cash based system again. I'm not willing to do that yet.
For successful man-in-the-middle attacks, he can wait until the alert shows he's in the middle of the session, and then take control. With the new Zues variants, it gives the criminal a lot of leeway to assess the target. The malware does, almost all the work until the last second.
I don't think the costs are too prohibitive for these criminals, as they acquire their targets from huge data bases of pwned targets, and only have to wait until one of them pays off, which is probably enough to at least get him to check his console every so many minutes. The work may be long and tedious, but if you are an over educated technician in the eastern European former Soviet bloc with no job; time you got plenty of.
The costs of buying the bot-net time to attack your targets, and service space for command and control, and the Zues kits are not terrible expensive, and usually paid for in misbegotten credit card numbers anyway. It is not unusual for a cracker to buy C&C space from a disreputable server farm for 19 dollars for three months temporary service(another example). This small price is paid for by credit card numbers stolen from online vendors who have poor security for their customers. They probably do this far in advance to keep themselves in control for at least a year in advance. They will be hard to find running this way changing every three months or less; and that is only if an investigator finds his bot net space and detects the control sessions. As complicated as this sounds, a cracker has nothing but time to sit and smoke and think up ways to avoid prosecution, and evade data and web detection. This process is getting easier for the crooks as their are actually services that do nothing but that for them, including selling card numbers that have already been stolen, and are ready for picking. It is becoming a freaking organized industry all the way. Advertising for money mules is probably the largest expense, but who says that isn't payed for in similar manner? I must admit this is the only part I haven't seen as a business service for criminals yet.
I am learning a lot about things like this, because I had a small amount of money stolen from one of my vendors, and the crook did just that - bought three month of server space from a fishy web-server farm. It was hard to find out just where this farm was too, because the information at the site was all a lie - of course. I turned the domain name and information into the FBI, but they don't personally look at any case under $5000 dollars anyway. I'm sure they crunch the numbers to gain an over view of the nature of web/banking crime.
Maybe not everyone gets hacked personally, but I am sure a huge number get hacked by breaking and entering poorly secured POS systems, and businesses, both brick and mortar, and online, whose customer data bases are compromised and the merchant/vendor either ignore it, or are totally unaware of it.
Thanks to a tip from you Michael I was able to finger the merchant who was compromised, by redoing my account with an online secure account number; and this closed the trap on their bad business practices. I notice they got bought out recently - probably because of too many lost customers, or pending law suits!
Is everyone getting hacked? Shoot who knows? How would you know your purchase at Wally World was compromised, and is paying for the expense to attack your bank account and rob you blind? The only way for everyone to avoid this is to go back to a cash based system again. I'm not willing to do that yet.
That one really puts that aspect of it into perspective.
This is an interesting angle. Not that it means I'd feel comfortable counting on not being singled out...
Also, it doesn't cover the botnet business... the botmasters have a definite gain from every single successful infection, and even if other attacks prove unprofitable, they can always sell the botpower to SEO purposes... like spamming TR.
This is an interesting angle. Not that it means I'd feel comfortable counting on not being singled out...
Also, it doesn't cover the botnet business... the botmasters have a definite gain from every single successful infection, and even if other attacks prove unprofitable, they can always sell the botpower to SEO purposes... like spamming TR.
When wireless first came out I made a fair living installing wireless in home PC's.
To demonstrate why I was worth my fee I would hack into nearby wireless networks using tools freely downloadable from the Net. The first place to go would be the neighbor's Pictures folders which often contained compromising pix of his wife!
But if I was clever (and evil) enough I would have written a bot hacker which searched millions of accounts daily, looking for someone with money.
Why would a hacker think in terms of hourly rate when you can employ tools which work while you're sleeping?
The success of the Nigerian 416 scams show that the very rich are just as vulnerable as the rest of us.
To demonstrate why I was worth my fee I would hack into nearby wireless networks using tools freely downloadable from the Net. The first place to go would be the neighbor's Pictures folders which often contained compromising pix of his wife!
But if I was clever (and evil) enough I would have written a bot hacker which searched millions of accounts daily, looking for someone with money.
Why would a hacker think in terms of hourly rate when you can employ tools which work while you're sleeping?
The success of the Nigerian 416 scams show that the very rich are just as vulnerable as the rest of us.
Many of the attacks require people to intervene. For example, if banking information is stolen; the attacker still needs to log in, get past security, initiate the transfers to money mule accounts, and several other steps. The actual process is more involved than most are led to believe.
with Zeus variants, they can simply ride the log on session all the way to the bank. So they don't even need to sniff passwords are anything. No key-logging required, just session riding.
Care to explain exactly how you look for "someone with money" and exactly what you do when you find one? You seem to fall into exactly the kind of thinking that Herley describes; i.e. thinking that a vulnerability means risk-free money. If you want to "think like an attacker" describe exactly what this bot hacker you're talking about would turn vulnerabilites into money.
if the criminal is good at assessing the target data; he can figure out if taking control is worth it or not. I have heard of little old ladies getting their small bank accounts robbed of balances no bigger than their social security checks. So some criminals are just hungrier than others.
How do you make sure that your tool that works while you're sleeping gets to victims first, i.e. before all the other scammers who have tools that are working while they are sleeping?
You only get there first if there's soemthing special about your tool. There's only somehing special about your tool if it's unique and you write it yourself and know something that nobody else knows.
You only get there first if there's soemthing special about your tool. There's only somehing special about your tool if it's unique and you write it yourself and know something that nobody else knows.
"know something that nobody else knows."
That is one reason why security is a reactive process.
That is one reason why security is a reactive process.
I read that the scanners they use are better than some of the best in the anti-malware industry. The first crook to pwn the computer keeps all other banking Trojans off.
That's scary.
Especially with how things like Zeus work... I can imagine the bot-builder vendor pricelists :
Basic kit
Advanced stealth I
Advanced stealth II
Advanced malware scanner
...
Especially with how things like Zeus work... I can imagine the bot-builder vendor pricelists :
Basic kit
Advanced stealth I
Advanced stealth II
Advanced malware scanner
...
I wouldn't put anything past them. The example I read about was a simple hard drive version, that concentrated on banking trojans and anything that would slow the computer down, like other competing bots.
Could you have meant "Nigerian 419 scams"?
Great blog, by the way! All good comments.
Great blog, by the way! All good comments.
There's just so much FUD from everyone who works in the security space. This explanation makes sense to me: it's not as easy as it looks to turn a vulnerability into cash.
The article doesn't say that it's not easy... just that the ease doesn't translate into endless amounts of cash. The time factor is often overlooked.
It's simply not as lucrative as is often imagined... except for the people at the top of the criminal food chain.
It's simply not as lucrative as is often imagined... except for the people at the top of the criminal food chain.
But, I think that requires a case by case review.
Of course ROI and similar metrics are always macroscopic...while "easy" is a case assessment (non-macroscopic), but Herley points out that the case assessment doesn't really matter on the macroscopic level, where it's the rate of success taken over great volumes that takes first priority.
A bit like the difference between molecular physics and chemistry. The potentially erratic behaviors on the molecular physics level aren't important to chemistry, because the chemical behavior is made up of huge numbers of molecules, evening out the unpredictability.
A bit like the difference between molecular physics and chemistry. The potentially erratic behaviors on the molecular physics level aren't important to chemistry, because the chemical behavior is made up of huge numbers of molecules, evening out the unpredictability.
The molecular behavior is important. The difference is in how each science measures.
but chemistry researchers don't really give a hoot about all the things a molecule *could* do, individually - they deal with billions and billions of molecules, so to them only the more likely actions are relevant... everything else is masked out. That's why we can't really mix macroscopic terms with microscopic terms. That's where I think Mr. Herley has demonstrated very keen insights before, as well. He has looked at the microscopic habits, then extracted the macroscopic effects of them, and found them to be different than was to be expected. It's like differential calculus, going from the detailed to the directional - losing detail, but gaining a new perspective.
But you're right of course - if the molecule couldn't do all it can on the individual level, it's behavior would be completely different on the chemical level...
But you're right of course - if the molecule couldn't do all it can on the individual level, it's behavior would be completely different on the chemical level...
Consider two 'chemically-identical' pieces of steel; one is magnetized...molecular chemistry is not equipped to describe any difference between them, but physics obviously is.
At least having the information available allows us to make better decisions.
Have you ever seen any sort of crimeware dashboard, for instance? These are well-organized businesses in an organized industry with marketing and slick software. Especially for botnets.
The probabilities that you might see any particular intrusion or infection are possibly low. For the criminals, the probabilities that they will get what they are after and make money doing it are rather high. It's a going concern.
I don't think there is a lot of FUD among researchers, but there is some from the marketing arms of AV and other security software/service vendors.
The probabilities that you might see any particular intrusion or infection are possibly low. For the criminals, the probabilities that they will get what they are after and make money doing it are rather high. It's a going concern.
I don't think there is a lot of FUD among researchers, but there is some from the marketing arms of AV and other security software/service vendors.
signature based detection is useless against the new malware variants. I've been using completely different tech more and more in the last two years. Michael has helped me with my thought process on this. I feel I've been pretty successful - but I'm presently running into some very vexing challenges; some of which, may not be security related at all - but I am suspicious and paranoid enough to believe the possibility is great.
The best defense, as has been going around TR a bit lately, is to not be there. If you use an OS whose developers address all vulnerabilities in a timely manner, you don't have to worry about malware signatures or malware that eludes signature based detection. As quickly as Symantec might come up with new signatures, FreeBSD plugs the vulnerability so that the malware no longer has something to exploit.
but I'm not a very good salesman for that tact. So I have to look for Windows solutions that are acceptable to them - I just can't get them to change. I'm also not well versed in VM tech that could help them use some of their favorite software written for Windows.
Of course, it's not always feasible to guide a client (or friend) through a platform migration. I understand that better than most, having been involved (both professionally and personally) in a number of such migrations, and a number of discussions about the benefits and detriments of such a migration that resulted in nothing changing.
I was just commenting on a best case scenario, where people are operating under circumstances where the migration really is the best option (far more common than most people think -- almost always, in fact), are willing to listen to reason and give it a shot (depressingly less common than it should be, though still not entirely uncommon), and do not essentially set out to sabotage themselves once things start (surprisingly common, all things considered).
I was just commenting on a best case scenario, where people are operating under circumstances where the migration really is the best option (far more common than most people think -- almost always, in fact), are willing to listen to reason and give it a shot (depressingly less common than it should be, though still not entirely uncommon), and do not essentially set out to sabotage themselves once things start (surprisingly common, all things considered).
Would that we could, in this and all things.
What you say is probably the best that can be said.
What you say is probably the best that can be said.
Puppy Linux LiveCDs from OnDisc, so I can demonstrate how easy it is to use such a feature to secure banking access. I trust their pre-burned discs the most. The S&H is worth it.
I think that there is another thing that is overlooked in the hacking scenario and that is that large corporates like the Microsofts, Chryslers and the like of this world are a target because of who they are, they are a challenge to the hacker who does not care about money but rather the esteem from his/her peers. They are also potentially targeted for IP that can be sold for a lot of money.
I would say that because they would make up the the bulk of the small minority that gets hacked that the average Joe/Small to medium sized business has even less chance of being hacked.
I would say that because they would make up the the bulk of the small minority that gets hacked that the average Joe/Small to medium sized business has even less chance of being hacked.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
