The same company, who was the first one to show how to strike back attackers, has published new results of research in Europe. Dramatical security issues for millions of people.

TEHTRI-Security, an innovatice cutting-edge french company, has just released new threats during “HITB Amsterdam”, an international conference for experts. They first explained that most Internet services (yahoo, hotmail, linkedin, twitter, facebook) are not hardened properly, so that millions of people take risks by using them. Moreover, they have shown that many phone devices with Wifi embedded are vulnerable to attacks, like the iPhone, the HTC, the BlackBerry and also the brand new iPad. To finnish, they explained some security issues on Thalys European trains, with the Wifi Internet access on board. Half a million of people could be concerned by those security issues related to privacy and security during their travels. Those issues are the same on many Internet access shared worldwide in airports, stations, trains, in-flights, hotels, etc. They are full of security vulnerabilities, because no real penetration test were organized with IT Security experts before the service was open to the public..

More information here (local press from Amsterdam) :
http://tweakers.net/nieuws/68316/wifi-netwerk-thalys-treinen-is-slecht-beveiligd.html
http://www.security.nl/artikel/33760/1/Internet_in_Thalys_kwetsbaar_voor_hackers.html

Like or Dislike: 1  1

To add to what AlphaCentauri said I would like to point out that they are never shut down in the same sense that a distributer of poisoned aspirin would be shut down in the brick and mortar world.

If someone opened a store in your local mall selling kits to inject arsenic into brand name aspirin it would be shut down immediately. You would not have to rely on volunteer groups to email the drug manufacturers and the drug retail stores with the hope that they would take action. There are laws and agencies with authority to enforce the laws in the brick and mortar world. Unfortunately, this is not true in the digital world of the internet.

As Alpha pointed out, fortunately, most registrars have cleaned up their act. I have noticed a big change in the registrars being used to provide domains for the botnets used by zeus to deliver their trojan since last year.

However, zeus still manages to find a registrar to register their domains. Reference Krebs’ blog titled “ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube” and you will see that the registrar used, NAUNET-REG-RIPN (NauNet SP), kept the domains active over a six day period. From June 18 through June 23, they would deactivate a domain temporarily only to reactivate it later on. This simply would not be tolerated in the brick and mortar world.

But the botnets and their supporting domains/registrars aren’t the only problem. Many web hosting sites are notorious for hosting sites for phishing activity. I do not even have to mention them here, they are documented quite well by phishtank. See: http://www.phishtank.com/stats/2010/05/ under the heading “Top 10 Domains (valid phishes)”.

These are web hosting sites and most have been in the top 10 for a long time. Again, you have volunteers identifying member sites as engaged in phishing activity but somehow the host provider is not able (not required) to monitor their own sites and shut down the fraudulent ones.

So, my short answer would be: 1) not often enough and 2) too long.

Well-loved. Like or Dislike: 12  1

Working on their level is no solution. It’s fun but it’s self-destructive. Make them obsolete instead. That’s easy.

Hot debate. What do you think? 3  7

The implied assumption in your instructor’s question that you can stereotype hackers with such a broad brush is simplistic, as is his answer.

Frontier or vigilante justice existed in the 19th century frontier because that was all they had. Just recently a registrar maintained several domains for 6 days which were used to deliver the zeus trojan. This is not exceptional. This is common.
Our choice is not between Vigilante justice or law and order, it is between vigilante justice and nothing at all. There is no governing body that can force these registrars to remove domains clearly used for criminal purposes.
The same thing is true of web hosting sites which continually support sites which volunteers in many organizations have already identified as existing for criminal purposes.

And I for one am sure not going to take the attitude that we shouldn’t annoy these criminal sociopaths for fear that they may get really crazy. It may take a good dose of frontier justice to get the world to recognize that something has to be done.

Well-loved. Like or Dislike: 13  0

The biggest problem is that phish domains are also added to spam filters very quickly, so it’s hard to get your report through some companies’ spam filters. If you can find an online form on their websites for submitting complaints, it’s usually a better bet than an email from someone they don’t know (you).

Like or Dislike: 2  2

“The back doors are not programming failures; they’re there so the creators of the kits can make some extra profit by surreptitiously harvesting data from the script kiddies they sold the kits to.”

Boy, you just can’t trust anybody these days

Well-loved. Like or Dislike: 11  1

This isn’t some strange new opportunity. Antiphishing teams have been exploiting back doors purposely built into phishing kits for years. The back doors are not programming failures; they’re there so the creators of the kits can make some extra profit by surreptitiously harvesting data from the script kiddies they sold the kits to. No one is fixing them as long as the kits still sell.

It’s a race between white and black hats to find the phishing sites and grab their drop files before the domains are shut down for AUP violations. If the good guys get them first, the victims are notified and their accounts are protected. The only thing considered controversial is what happens if a company working for one bank finds data on victims from another bank — do they share the data with a bank that isn’t paying their fees? When Castlecops.com was operating, everyone got notified, but I don’t know if anyone has taken over that role since they ceased operation.

Even though the mitigation teams are private volunteers or private companies working for the banks, law enforcement is kept informed of everything they do. So there is no question of them facing legal liability for having hacked the hacked servers hosting the phishing kits.

Well-loved. Like or Dislike: 14  1

The criminals are already as organized as anybody else. There are well organized groups and disorganized mobs amongst them, just as there are better organized nation-states and some pretty dysfunctional ones. It’s a free market world, nation-state cyber attackers and common crooks can both buy the same exploit kits. What they do with them may overlap too, isn’t the underlying reason for war economic?

Well-loved. Like or Dislike: 8  2

I remember one of my security instructors asking us one question: “What’s the difference between a hacker and a security professional?”

The answer was: “Permission.”

So my question would be whom is authorized to go on the offensive? If its anyone (including white hats), we have essentially frontier or vigilante justice.

While the thought of becoming a virtual Batman might be interesting, it may also open up Pandora’s box. Although the criminal element is relatively organized at this point, what if this emboldens them to become ever more organized?

We may then see open warfare at that point.

Hot debate. What do you think? 4  7