What You Should Know About History Sniffing

December 6, 2010
32 Comments

Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history. While these tricks are nothing new, they are in the news again, so it’s a good time to remind readers about ways to combat this sneaky behavior.

The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.

This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.

These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise: A lawyer for two California residents said they filed suit against one of the sites named in the report — YouPorn — alleging that it violated consumer-protection laws by using the method.

As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack.  Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web  site developers to query whether site visitors had previously visited up to 50 specific URLs.

The Center for Democracy & Technology noted in March that another company called Tealium has been marketing a product taking advantage of this exploit for nearly two years.  “Tealium’s “Social Media” service runs daily searches of a customer’s name for news and blog postings mentioning the customers, and then runs a JavaScript application on the customer’s site to determine whether visitors had previously read any of those stories,” CDT wrote. “The service allows Tealium customers a unique insight into what sites visitors had previously read about the company that may have driven them to the company’s Web site.”

Continue reading

Cable: No Cyber Attack in Brazilian ’09 Blackout

December 3, 2010
9 Comments

The Nov. 2009 blackout that plunged millions of Brazilians into darkness for up to six hours was not the result of cyber saboteurs, but instead an unusual confluence of independent factors that conspired to cause a cascading power failure, according to a classified cable from the U.S. embassy in Brazil.

The communication, one of roughly 250,000 to be published by Wikileaks.org, provides perhaps the most detailed explanation yet of what may have caused the widespread outage, which severed power to 18 of Brazil’s 27 states, cutting electricity for up to 60 million Brazilians for periods ranging from 20 minutes to six hours. The Nov. 2009 outage was notable because it came just three days after a CBS news magazine 60 Minutes report about a much more severe two-day outage in 2007 that cited unnamed sources claiming that the blackout was triggered by hackers targeting electric control systems.

Reports from Wired.com and other news publications quickly challenged that 60 Minutes segment, pointing to previous investigations that suggested a variety of factors contributed to the 2007 incident, including poorly-maintained electrical insulators. But when another outage hit Brazil three days after the CBS report, the coincidence led to more speculation about whether hackers were once again involved.

The cable relates information shared by executives and engineers from Brazil’s National Operator of the Interconnected Power System (ONS), which “further ruled out the possibility of hackers because, following some acknowledged interferences in past years, [the Government of Brazil] has closed the system to only a small group of authorized operators, separated the transmission control system from other systems, and installed filters.” From the cable:

“Coimbra confirmed that the ONS system is a CLAN network [classified local area network] using its own wires carried above the electricity wires. Oliveira pointed out that even if someone had managed to gain access to the system, a voice command is required to disrupt transmission. Coimbra said that while sabotage could have caused the outages, this type of disruption would have been deadly, and investigators would have found physical evidence, including the body of the perpetrator. He also noted that any internal attempts by system employees to disrupt the system would have been easily BRASILIA 00001383 003 OF 005 traceable, a fact known to anyone with access to the system.”

So what did cause the blackout? The cable suggests there were a range of contributing factors and some very bad timing:

Continue reading

Advertisement

FBI Identifies Russian ‘Mega-D’ Spam Kingpin

December 1, 2010
22 Comments

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.

According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.

As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.

Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.

According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.

Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

Continue reading

Cybercrime Untouchables?

November 30, 2010
23 Comments

“YOU’VE probably never met Sergey Kozerev, a former student at the State University of Technology and Design in St. Petersburg, Russia, but it’s possible that he’s mugged you.

In the online world, he operates under the pseudonym Zo0mer, according to American investigators, and he smugly hawks all manner of stolen consumer information alongside dozens of other peddlers at a Web site he helps manage.”

The text above was the lead for a story published April 3, 2006 in The New York Times. It described Zo0mer as a “kingpin” of the criminal underworld market for stolen identities and credit cards.

What’s remarkable is that — almost four years later — Zo0mer’s business appears stronger than ever.

Today, Zo0mer/Kozerev runs perhaps the most bustling marketplace for purloined financial data in the UnderWeb. His Flash advertisements, like the one pictured below, adorn several prominent “carding” forums.

The ads promote a pair of his services: One sells “dumps” — account data stolen (by malware or skimmers) from the magnetic stripes on the back of all credit and debit cards that can be used to create counterfeit cards; the other peddles stolen credit card data and sensitive personal information that can be used to hijack identities and change the mailing address records on bank accounts.

Two of Zo0mer's threads on a carding forum.

Below are screen shots of Zo0mer’s two fraud shops, which show the prices associated with each of these services. According to Zo0mer’s posting on one carding forum, one credit card + its corresponding card security code costs about $1, and the price goes down for high volume purchases. If you want the absolutely freshest stolen card numbers, the price doubles to $2 per card, and redoubles to $4 per card if you care which bank issued the card. Hacked eBay and Paypal accounts also are for sale.

Continue reading

Shopping Online? Know Thy Seller

November 29, 2010
10 Comments

This time of year, it seems like everyone has a guide to shopping safely online. Most tip sheets focus on ways to spot insecure Web sites and harden your computer against data-stealing malware, but it’s equally important to understand whom you’re buying from before it’s too late.

It’s always a good idea to shop for the best price online, but you may be sorry if you let the site with the lowest price be your only guide. If you aren’t familiar with an online merchant, take a few minutes to do some basic consumer research on the vendor. Otherwise, you could end up like the hapless consumers profiled in David Segal‘s readable and entertaining story in The New York Times last week.

The Times piece highlights what appears to be a serious weakness in the major search engines, a shortcoming that favors dodgy merchants: While an abundance of complaints against an online merchant may show up prominently in a Web search for that seller, searches for brand name items may take the consumer straight to the merchant’s site and bypass those negative comments. Furthermore, complaints and bad publicity may even increase an online shop’s standing in the search rankings, the story notes.

Continue reading

Spear Phishing Attacks Snag E-mail Marketers

November 24, 2010
12 Comments

Criminals have been conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations, anti-spam experts warn.

The attacks are a textbook example of how organized thieves can abuse trust relationships between companies to access important resources that are then recycled in future attacks. According to multiple sources, the so-called “spear phishing” attacks in this fraud campaign arrived as virus-laden e-mails addressing ESP employees by name, and many cases included the name of the ESP in the body of the message.

The poisoned missives used a variety of ruses, but generally included an invitation to view images at a Web site URL included in the message — such as a link to wedding photos or an online greeting card. Recipients who clicked the links were redirected to sites that attempted to silently install software designed to steal passwords and give attackers remote control over infected systems.

Neil Schwartzman, senior director of security strategy at e-mail security provider Return Path Inc, said the spear-phishing attacks have targeted e-mail marketing companies that manage opt-in campaigns for some of the biggest corporate brands in existence.

“This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems,” Schwartzman said. “Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.”

Update: Nov. 25, 12:33 p.m. ET: Return Path is now saying that it also was compromised and that its clients are reporting that they have received spear-phishing attacks over the last 24 hours. Read on past the jump for more on this update.

Original post:

Chris Nelson, a security manager at an ESP that was compromised by these attacks, spoke with KrebsOnSecurity.com on condition that his employer not be named. Nelson said he traced the attack used to infiltrate his company’s servers back to Internet addresses in the Netherlands, where he found evidence that at least a dozen other ESPs were similarly compromised. The attacks, he said, appear aimed at gaining control over customer accounts and e-mail address lists that could be used in future spam and scam campaigns.

All of the evidence suggests these attacks have been going on for several months, Nelson said.

Continue reading

Escrow Co. Sues Bank Over $440K Cyber Theft

November 23, 2010
61 Comments

An escrow firm in Missouri is suing its bank to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The attack against Springfield, Mo. based title insurance provider Choice Escrow and Land Title LLC began late in the afternoon on St. Patrick’s Day, when hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer for $440,000 to a corporate bank account in Cyprus.

The following day, when Choice Escrow received a notice about the transfer from its financial institution — Tupelo, Miss. based BancorpSouth Inc. — it contacted the bank to dispute the transfer. But by the close of business on March 18, the bank was distancing itself from the incident and its customer, said Jim A. Payne, director of business development for Choice Escrow.

“They said, ‘We’re going to get back to you, we’re working on it’,” Payne said. “What they really were doing is contacting their legal department and figuring out what they were going to say to us. It took them until 5 p.m. to call us back, and they basically said, ‘Sorry, we can’t help you. This is your responsibility.'”

A spokesman for BancorpSouth declined to discuss the bank’s security measures or the specifics of this case, saying the institution does not comment on ongoing litigation.

According to documents filed today with the Circuit Court of Greene County, Mo., BancorpSouth’s most secure option for Internet-based authentication requires the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer waives or does not choose dual control — requires one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argue that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

“BancorpSouth should have, and could have, offered a commercially reasonable multifactor authentication method, since it had ample time (more than four years, October 2005 to March 2010) and knowledge of the need and requirement to provide its customers with secure authentication methods, as evidenced from the numerous documents it received, and/or knew about or should have known about, from the FFIEC and FDIC,” the complaint charges.

Continue reading

Crooks Rock Audio-based ATM Skimmers

November 23, 2010
26 Comments

Criminals increasingly are cannibalizing parts from handheld audio players and cheap spy cams to make extremely stealthy and effective ATM skimmers, devices designed to be attached to cash machines and siphon card + PIN data, a new report warns.

The European ATM Security Team (EAST) found that 11 of the 16 European nations covered in the report experienced increases in skimming attacks last year. EAST noted that in at least one country, anti-skimming devices have been stolen and converted into skimmers, complete with micro cameras used to steal PINs.

EAST said it also discovered that  a new type of analog skimming device — using audio technology — has been reported by five countries, two of them “major ATM deployers” (defined as having more than 40,000 ATMs).

In the somewhat low-res pictures supplied by EAST here, the audio skimming device is mounted on a piece of plastic that fits over the ATM’s card reader throat. A separate micro camera embedded in the plastic steals the victim’s PIN.

The use of audio technology to record data stored on the magnetic stripe on the backs of all credit and debit cards has been well understood for many years. The basic method for conducting these attacks was mentioned in a 1992 edition of the hacker e-zine Phrack (the edition that explains audio-based skimmers is Phrack 37). Since then, other electronics enthusiasts have blogged about their experiments with sound skimmers; for example, this guy discusses how he made a card reader device out of an old cassette recorder.

Continue reading

Adobe Reader X: Seeking Safety in the Sandbox

November 22, 2010
25 Comments

Adobe has at long last released Reader X, a fortified version of its PDF Reader software that is built to withstand attacks from the sort of zero-day security vulnerabilities that repeatedly have threatened its user base over the past several years.

The new Reader X version makes good on a promise Adobe announced in July of this year, when it said it would soon release a new kind of Reader designed to run the application in protected or “sandboxed” mode on Windows. Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

The hardened Reader X software is specifically crafted to block attacks against previously unknown security holes in the program. On at least four occasions over the past year, attackers have leveraged newly discovered flaws in Reader to install malicious software when unsuspecting users opened poisoned PDF files.

It would have been refreshing had Adobe chosen this occasion to simplify the process of installing its software. Unfortunately, Windows users who grab the new version from the Adobe home page still need to dodge the add-ons (such as McAfee security scan) and endure the annoying Adobe Download Manager. Those who would rather not monkey around with this stuff can grab the direct download from this link (the direct download link for Mac users is here).

I look forward to the day that Adobe warns of attacks against unpatched flaws in Reader but assures Reader X users that they are already protected against those threats. Only time will tell if this highly-anticipated feature lives up to the hype. A full list of features included in this latest version is available here.

Why Counting Flaws is Flawed

November 18, 2010
31 Comments

Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

  • Be legitimate, non-malicious applications;
  • Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and
  • Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

  • Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
  • How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
  • Which products had the broadest window of vulnerability, from notification to patch?
  • How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
  • How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
  • Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

Continue reading