July, 2009

PANDALABS REVEALS EXPONENTIAL GROWTH IN ROGUEWARE

Rogueware? The names just keep coming. It’s another name for Scareware, that stuff designed to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. The end result is to steal money from PC users by luring them into paying to remove nonexistent threats. Disturbing statistics point out why this stuff won’t go away:

• Cybercriminals are earning approximately $34 million per month through rogueware attacks
• Approximately 35 million computers are newly infected with rogueware each month
• Rogueware is being distributed through Facebook, MySpace, Twitter, Digg and targeted BlackHat SEO attacks
• Research confirms that majority of cybercriminals operate from Eastern Europe

PandaLabs, Panda Security’s malware analysis and detection laboratory, announced yesterday that they’ve made a multi-year study available that examines the proliferation of rogueware into the overall cybercriminal economy. The report, “The Business of Rogueware,” by PandaLabs researchers, Luis Corrons and Sean-Paul Correll, reviews the various forms of rogueware that have been created, and displays how this new class of malware has become an instrumental player in the overall cybercriminal economy. The study also provides in depth analysis on the increasingly sophisticated social engineering techniques used by cybercriminals to distribute rogueware via Facebook, MySpace, Twitter and Google.

It’s very clear the whole landscape has changed from a vandal model to a profit model. It used to be that the cyber-vandals trashed your hard drive and wrecked your website; now, cyber-criminals use tactics to steal your identity and extort money from you. The damage is no less costly, it has just increased in both the intensity of emotional pain and amount of financial loss. The difference is that cyber-vandals didn’t have a payday—cyber-criminals do.

And people ask me why I’m adamant about cyber-security…

Video: I Go Chop Your Dollar

This video is a good example of how not all the effects of crime are bad. After all, if we didn’t have Nigerian 419 scammers, we wouldn’t have a song about the infamous Nigerian 419 scams that haunt email inboxes these days. Lyrics are a little hard to pick out, but the chorus repeats enough that you’ll eventually get it. It’s a catchy tune. Perfect to lighten things up after a serious month of fighting security threats.

Enjoy!

I Go Chop Your Dollar

Cheers!
Kenny

I’ll Say it Again—Turn Off the Remote Web Management Interface!

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things - and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

“Of Course, I Never Reply to Spam – Except Sometimes”

Sounds funny, doesn’t it?  But that’s part of the title of a consumer survey recently completed by the Messaging Anti-Abuse Working Group (MAAWG): “A Look at Consumers’ Awareness of Email Security and Practices or ‘Of Course, I Never Reply to Spam – Except Sometimes.‘” The report is issued in two parts: Part 1 is a summary of the results; Part 2 is the actual survey data complete with charts. Here’s an excerpt from the report’s abstract:

This survey was commissioned by the Messaging Anti-Abuse Working Group (MAAWG) to gain a better understanding of consumers’ awareness of the risks associated with viruses and “bots” spread through email and to determine how the industry can best work with consumers in dealing with important messaging threats.  The research covers bot awareness and also asks the frequently voiced question: “Why did you click on that spam link?”  It identifies the specific actions consumers take to protect themselves against viruses and junk mail, looks at consumers’ attitudes toward virus mitigation, and seeks to quantify and understand consumers’ email habits.

One of the most striking results from this research is that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected.

What surprises me is the high percentage of consumers who are aware of bots; what doesn’t surprise me is that most of those have a “won’t happen to me” attitude.

The real eye opener in this study is the responses to survey question 12: “If you have ever clicked on a link or replied to an email that you suspected was spam, why did you take this action?” The majority of respondents (52%) said they had clicked or replied. 17% said they “made a mistake.” It happens, especially if you have a twitchy clicker finger. There’s no excuse for the 12% who said they were “interested in the product/service” being offered nor the completely clueless 6% who “wanted to see what would happen.” Unbelievable! It’s these people who are the reason spam won’t go away. They’re also the folks whose PCs I have to clean up on a regular basis.

Fellow security professionals, we have our work cut out for us.

Fraud Alert: eBay, craigslist Broken?

Bruce Schneier’s June 19, 2009 post Fraud on eBay stands as a testament to the fact that all is not well with the online auction giant.

I expected selling my computer on eBay to be easy.

Attempt 1: I listed it. Within hours, someone bought it — from a hacked account, as eBay notified me, cancelling the sale.

Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal immediately, and then — near as I could tell — immediately opened a dispute with PayPal so that the funds were put on hold. And then she sent me an e-mail saying “I paid you, now send me the computer.” But PayPal was faster than she expected, I think. At the same time, I received an e-mail from PayPal saying that I might have received a payment that the account holder did not authorize, and that I shouldn’t ship the item until the investigation is complete.

That’s one example of eBay fraud. Another report in The Consumerist, “It’s Now Completely Impossible To Sell A Laptop On Ebay,” shows another variation, clearly a Nigerian scam:

So I re-listed the item. This time, I lowered the minimum bid and paid for the ‘featured item’ option (which I thought was a stupid idea, but the only way to get my auction seen by any appreciable audience). This time, the auction ended without incident. I got an email from the bidder telling me that he was glad to have won the auction, and was excited for me to ship it… To Nigeria.

Let it be known here that though I may not be the smartest person in the world, I’m not stupid. His email went on to explain (in poor English) that he was ‘on business trip to the Nigeria,’ and that he was willing to pay me $1000 through PayPal for the laptop. Shortly thereafter I received an email from ‘PayPal’ (who is now apparently sending out their customer service emails from gMail), stating that I had received a payment, but that it would not show up in my account until I emailed them back the tracking number for the parcel. Very clever, but once again, I’m not stupid.

While I haven’t had this type of problem on eBay, I have experienced similar fraud on Craig’s list. Here’s a short excerpt from one of the emails I received from the fraudster (reportedly sent by USPS):

Thanks you for using Postal Money Order, The payment for your merchandise has been paid for,we have your $500:00USD money order sent to you by the buyer of your item Lewis Jack in our database, as soon as the item is shipped, please forward us with the shipping tracking number, so your $500:00USD money order can be mailed to your address, your money order is secure and save.

We will be glad to inform you that the payment sent to you by Lewis Jack has been processed and verified, your payment is now on hold for 48 hours from the period of time you recieve this email, we will be sending you a shipment notification email as soon as we recieve the shipment tracking number for the item your buyer purchased.

Based on the blatant outpoints in grammar and punctuation, it’s pretty obvious that this didn’t come from the United States Postal Service. It’s clearly a scam and I would never see payment if I were stupid enough to ship the item.

I’m about to list a rather expensive router on eBay and if I have any experiences similar to those of Mr. Schneier and the other gentleman, I’ll post details here.

It appears, though, that unless you’re selling low value or garage sale class items, the watchwords are: “Caveat venditor” (let the seller beware).

Panda’s CloudAntivirus Update

When I turned on my laptop this morning, I was greeted with a red X on the Panda icon in my system tray. When I clicked on it, the program informed me that my beta version would expire in 10 days and I should download the latest release. I was ready for a sales pitch; I’m happy to say there wasn’t one. Apparently, CloudAntivirus is still free (it’s also still Beta) and will remain so.

The latest release is dated 6/30/2009, Version 0.08.82. That number seems far removed from V. 1.0. I can’t imagine what more the program needs—it works very well now with no intrusive behavior. I’ve tested it with some real malware and it works as advertised. I trust it enough to recommend it to everyone I know.

If you missed my previous article on this nifty security tool, read Panda’s Cloud Antivirus (Beta) is a Winner! Be sure to watch the video I have linked in that article, too. Besides just being cool, the video will give you a new viewpoint on emerging security technology in the Cloud. While you’re at it, this Panda Security video ad’s also worth a look. (Check out the threat characters—very catchy.): Viruses pwned by Panda Antivirus [HQ].

Anyone interested in seeing a security video of the week (or month) column on this blog?

Hacker HighSchool is a Great Idea!

Steve Gibson of Spinrite and Security Now! podcast fame talked about Hacker HighSchool in his most recent Security Now! episode 204. What a great idea! I checked out the site and here’s what I found:

The Hacker Highschool project is the development of license-free security and privacy awareness teaching materials and back-end support for teachers of elementary, junior high, and high school students.

Today’s kids and teens are in a world with major communication and productivity channels open to them and they don’t have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.

In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. All lessons work with a free “live linux” CD which will boot off any PC with a CD-rom drive to perform the lessons. HHS is a great supplement to student course work or as part of after-school and club activities.

I checked out some of the lesson transcripts and I have to say that I plan to do them all myself. This is great stuff and while I’m no slacker at being a hacker, there’s a lot of great information to be had. Not only that, but I think it’ll be fun to pretend that I’m 16 in this day and age.

The first lesson (they’re in PDF format on the website) is aptly titled “Being A Hacker” and the first paragraph of the lesson starts out with this:

This lesson is about how to learn – a critical skill for a hacker.  Hacking, in reality, is a creative process that is based more on lifestyle than lesson. We can’t teach you everything that you need to know, but we can  help you recognize what you need to learn.  This is also true due to the constant advances in the computer sciences.

They go on to say that hacking is a life skill that can be applied to other fields, too.

I suggest you check it out for yourself and if you have teenagers still at home, get them going on these things ASAP.

“I guess I forgot to lock the door.”

Physical security is something we often take for granted, but it can be just as important as cyber security. One of my clients recently called to say that some suspicious files had suddenly appeared on one of their servers. Naturally, I investigated, but I couldn’t find any breach in the firewall or any indication in the IDS logs that the network had been hacked from outside.

After spending a couple of hours digging around in the server logs, I finally dug into the registry and found that the files had apparently come from a USB device that had been plugged into the server around 9:30 pm on the day in question. Since only three people have access to the servers–myself, the IT Manager and the Controller–and none of us were guilty, I had to suspect that someone had gained unauthorized access to the server room.

Sure enough, the IT Manager recalled leaving early on an emergency the day of the incident and with a sheepish grin told me, “I guess I forgot to lock the door.”

We now have an electronic combination lock on the door and only the three of us have the code. The door automatically locks itself three seconds after it’s opened, so “forgetting” isn’t an option.

Lesson learned. Fortunately, the files were benign.