Ten to fifteen years ago, if you were going to be the target of state sponsored or corporate espionage, you yourself were going to be a government or a large corporation that had intellectual property or information that an adversary was going to have to invest a lot of time and effort to pry out of you. What we have seen over the last five to seven years is that the botnet has democratized that process, so that now an individual can commit his own intelligence reconnaissance and espionage, whether at arms length on behalf of a state, on his own, or whether he’s doing it for corporate espionage.
This is an excerpt from a column of mine that appeared today at CSOonline. Read the rest of it at this link here.
Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.
If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows. The easiest way to install the patch is through Windows Update. Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.
The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websensewarns that the targeted e-mail attacks leveraging this flaw continue unabated.
When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.
The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.
Securing your computer isn’t just about making sure the doors and windows into your system are latched and patched: Sometimes, it makes more sense to simply brick up some of these entryways altogether — by getting rid of programs you no longer use.
There are several programs that I’ve mentioned recently and put in this category (Java, QuickTime, Adobe Reader). Allow me to add another program to this list: RealPlayer. If you have this program installed, ask yourself this question: When was the latest time you used it?
A leading security researcher today published perhaps the best evidence yet showing a link between Chinese hackers and the sophisticated cyber intrusions at Google, Adobe and a slew of other top U.S. corporations late last year.
In mid-December, Google discovered that its networks had been breached by attackers who appeared by coming from China. A Wall Street Journal article cited researchers saying the attacks — dubbed Operation Aurora — were launched from six Internet addresses in Taiwan, which experts say is a common staging ground for Chinese espionage.
While Google itself has said that the attacks “originated in China,” experts have been quick to point out that attackers commonly route their communications through faraway computers, and that the real attackers may be located anywhere in the world. But new clues about the origins of the malicious software that was used to exploit the as-yet unpatched Internet Explorer vulnerability suggest that the exploit was in fact assembled by Chinese programmers
The evidence comes from forensic work published today by Joe Stewart, director of malware research for Atlanta based managed security firm SecureWorks. Stewart said he found that a snippet of the source code used in the backdoor Trojan horse program planted by the exploit (called “Hydraq” by various anti-virus companies) matched a source code sample that was detailed in a Chinese-language white paper on mathematical algorithms used in electronics.
Stewart said a Google search for one of the key text strings in that code sample shows that it is virtually unknown outside of China, and that almost every page with meaningful content concerning the algorithm is written in Chinese.
Money mules are quite literally the workhorses of the online fraud world. The term “money mule” is borrowed from the nomenclature used to describe the human pack horses of the drug cartels — so-called “drug mules” — people who physically carry illegal substances on their person while crossing the U.S. border. Some drug mules actually ingest large numbers of tiny bags full of illegal substances, and carry the narcotics in their digestive system on the way into the United States. You can probably guess how the drugs are…er…offloaded by these mules.
Of course, money mules don’t actually ingest the cash they help steal from banks and small businesses that are victimized by criminal gangs, although they do occasionally eat the cost when their bank turns around and holds them liable for the missing money. However, some of the mules — mainly young Eastern European men and women of college age who are here in the United States on temporary J1 visas — do physically carry the cash on their person when they head back home.
Anyway, this blog posts focuses on the former group, those willing or unwitting individuals who stand to very likely make $500-$700 from a single transaction with the crooks. Money mules are recruited through work-at-home job offers that arrive via e-mail, usually claiming that the prospective employer found the recipient’s resume’ on careerbuilders.com, monster.com, or some other job search site. Recruits are told they will be helping to move money for international companies, and are asked to provide their bank account and routing numbers so that they can receive incoming transfers.
Now, technically speaking, most mules are by default fired after their first and only successful job: Each mule is worth slightly less than $10,000 to the cyber gangs, who will cease communicating with a mule the minute after he or she successfully wires the money to the crooks and e-mails the access number the criminals need to pick up the cash.
The mules’ job isn’t that difficult: Wait by the computer between 8 and 11 a.m. for a message saying a deposit is ready for withdraw. The mule is instructed to then go down to their bank, pull out the money in cash, and then wire it abroad via Western Union and Moneygram.
But you’d be surprised at how often the mules screw this up. Here are the Top 10 ways that mules can get fired:
Web site domain registrar and hosting provider Network Solutions acknowledged Tuesday that hackers had broken into its servers and defaced hundreds of customer Web sites.
The hackers appear to have replaced each site’s home page with anti-Israeli sentiments and pictures of masked militants armed with rocket launchers and rifles, alongside the message “HaCKed by CWkomando.”
According to results for that search term entered into Microsoft’s Bing search engine, there may in fact be thousands of sites affected by this mass defacement.
One of the defaced pages belonged to Minnesota’s 8th District GOP, according to a story in The Minnesota Independent, which said the Arabic writing that accompanies the defaced pages contains the dedication “For Palestine,” and the repeated phrase “Allahu Akbar” [God is great].
Apple his shipped a software update that fixes at least a dozen security vulnerabilities in Mac OS X Leopard and Snow Leopard systems. The update applies to OS X 10.5 and 10.6 desktop and server machines, is available through Software Update or from Apple Downloads. More than half of the fixes are to update the Mac version of Adobe’s Flash Player plugin. Check out this link for more nitty gritty on the individual flaws fixed in this update.
I had just finished opening an account at the local bank late last week when I happened to catch a glimpse of the bank manager’s computer screen: He had about 20 Web browser windows open, and it was hard to ignore the fact that he was using Internet Explorer 6 to surf the Web.
For more than a second I paused, and considered asking for my deposit back.
“Whoa,” I said. “Are you really still using IE6?”
“Yeah,” the guy grinned sheepishly, shaking his head. “We’re supposed to get new computers soon, but I dunno, that’s been a long time coming.”
“Wow. That’s nuts,” I said. “You’ve heard about this latest attack on IE, right?”
I might as well have asked him about the airspeed velocity of an African Swallow. Dude just shook his head, and so did I.
Well, you can’t really blame the poor guy for not knowing. Just hours before, Microsoft Chief Executive Steve Ballmer looked a bit like a deer in headlights when, standing in front of the White House in a planned CNBC interview on how the Obama administration is looking to use technology to streamline its operations, he was suddenly asked about a report just released from McAfee effectively blaming a slew of recent cyber break-ins at Google, Adobe and more than 30 top other Silicon Valley firms on a previously unknown flaw in IE.
“Cyber attacks and occasional vulnerabilities are a way of life,” Ballmer said. “If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.”
The other day I had a chance to chat with Steve Santorelli, director of global outreach at Team Cymru (pronounced kum-ree), a security research and investigation firm that is often privy to some fascinating, granular data on network attacks, as well as fairly unique holistic views about large scale Internet threats.
Santorelli wanted to interview me as part of their ongoing Who and Why Show, and gave me a few minutes to answer the question, “What keeps you up at night?” My answer was basically that I worry what will happen to the Internet as we know it when people start to die in a measurable way because of computer and Internet security vulnerabilities and attacks.
Click the embedded video image below to listen to the short interview.
By the way, the title of this post is an open-ended question: Are there Internet/computer security threats that keep you — the reader — up at night? If so, sound off in the comments.
It is said that you can judge the mettle of a man by the quality of his enemies. So I guess it should be flattering when a group of individuals who appear dedicated to making misery for countless Internet users express glee at what they perceive as my misfortune.
Since my final posting on The Washington Post‘s Security Fix blog last year, I’ve been made aware of several discussions among different shadowy online groups who were apparently celebrating the end of that blog.
Some of those conversations I am not at liberty to point to here, but at least one of them is public: A thread on crutop.nu, a 8,000 member Russian language forum dedicated to Webmasters who specialize in high-risk Web sites, including rogue anti-virus software sales, pharmacy sites, and all manner of extreme porn (including beastiality and rape).