Category: Cybercrime

We have all learned the hard ugly truth about malicious software and the proliferation of software available to do horrible things to our computers. But Crimeware-as-a Service?

I think that, secretly, many IT professionals give computer criminals very little thought. I, for one, have difficulty conjuring a sinister image. Instead, I tend to think of a pimply post-adolescent in Mom’s basement, wreaking havoc on the cyber landscape one minute and apologizing to Mom for his dirty footprints across her clean floor the next. I have all the anti-malware tools I need, but tend to see the perpetrator of malicious electronic acts as somewhat laughable. I would be wrong in most cases.

At the RSA 2008 conference, Finjan, a leader in secure Web gateway products, released a report identifying and analyzing the latest trends in the commercialization of cybercrime.

From the report:

Criminals have started to use online cybercrime services instead of having to deal themselves with the technical challenges of running their own Crimeware server, installing Crimeware toolkits or compromising legitimate websites.

“Currently, we see the rise of the Crimeware-as-a-Service (CaaS) business model in the crimeware-toolkit market. Cybercriminals and criminal organizations are getting better and better at protecting themselves from law enforcement by using the crimeware services, especially since the operator does not necessarily conduct the criminal activities related to the data that is being compromised but only provides the infrastructure for it,” said Yuval Ben-Itzhak, CTO of Finjan.

As with mainstream software providers, the creators and owners of these crimeware toolkits provide their customer base with update mechanisms while tooling them with sophisticated, anti-forensic attack techniques, as well as the ability to manage and monitor malicious code affiliation networks. It enables a new level of crimeware availability by supplying anyone willing to purchase an easy-to-use crimeware toolkit.

Okay, that’s scary. And it’s reality. Crimeware-as-a-Service? Crimeware toolkits? Whatever happened to disaffected script kiddies?

The fact is that there are code criminals everywhere. We just didn’t happen to notice that they had become their own economy. Our collective bad.

From Dark Reading:

Researchers at Finjan, MarkMonitor, and Trend Micro are among those seeing a new cybercrime business model, where sophisticated cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service — often with customer service guarantees. The trend is one of the key findings in Finjan’s new Web Security Trends Report for the first quarter of this year, which the company released today.

“We are starting to see more sites like this, where criminals are going another step forward and turn out to be a service, a cybercrime as a service,” says Yuval Ben-Itzhak, CTO at Finjan.

“With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes,” he says. This lets other criminals who don’t want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.

“This is another step forward for criminals to improve their market, the commercialization of stolen data,” he says.

Given this level of sophistication, do we have any sense of the value of our information? I do, and it isn’t hopeful. In fact, it doesn’t make me wonder that there is a growing trend to market infrastructure to harvest this information. While it is precious to you and I, this report from FraudArena tells me how little my personal information is worth. I’ll give you a high-level look, but check the site.

Your personal identification is not terribly valuable (except to YOU) and can now be harvested by criminals with an infrastructure as sophisticated as the company you work for — and, in some cases, more sophisticated. This should be at least a wake up call for anyone with a laissez-faire attitude about their personal security.

We have talked at length about personal security, why we need it, and how to get there. While I don’t find a tin-foil hat a fashion statement, I think I will be reviewing how, when, and where my personal details are being used and managed.

How about you? Do you know where your private information is?

More information:

Crimeware-as-a-Service taking off (InfoWorld)

Security firm warns of Crimeware-as-a-Service Toolkit Trend (PC World)

Security has been the focus of the past few days as the RSA security conference has been underway. The keynote speech was delivered by Michael Chertoff, the Secretary of Homeland Security, and in his speech, he stressed the need to create a “Manhattan Project” for computer security. The Secretary brought up the recent attacks on Estonia, which led to a government shutdown for a short time, as an example of how much damage can be wrought by hacker attacks.

Chertoff Describes ‘Manhattan Project’ for Cyber-defenses (eWeek)

Any such effort will have to include a boatload of training, but not just for the security professionals who do the actual work involved in preventing and detecting attacks. Based on the statistics in Symantec’s latest Internet security threat report, the average computer user is the biggest threat to network security. In years past, a user had to visit a malicious Web site to run the biggest risk of getting infected with malware, but hackers are getting more inventive and have started compromising legitimate Web sites  in order to distribute their code.

Who trumps bin Laden as a cyberthreat? Look in the mirror (News.com)

Compromised legit sites power hack attacks (The Register)

Symantec’s report hits close to home, as I work in education, which was singled out by the report as the source for 24% of data breaches that could result in identity theft. I have long known the value of educating my users, as the statistics I read back in the ’90s indicated that a well-trained user was six times less likely to accidentally damage their computer or compromise security. I rather suspect that training users would have a beneficial long-term effect as they would be another line of defense to add to the firewalls and IDS/IPS systems already on corporate networks.

What do you think should be included in a “Manhattan Project” for network security?

In June 2007, a network intrusion at the Pentagon resulted in the theft of an “amazing amount” of information. The incident continues to be a national security concern according to Dennis Clem, Office of the Secretary of Defense (OSD) CIO.

The OSD detected malicious code in various portions of the network infrastructure during a project to consolidate resources. Over the following two months, the code infiltrated multiple systems, culminating in an intrusion that exploited a vulnerability in Microsoft Windows.

Through the attack, spoofed e-mail containing recognizable names were sent to OSD employees. Because they appeared safe, employees opened the e-mail that allowed user IDs and passwords to be stolen. As a result, sensitive data housed on Defense systems was accessed, copied, and sent to the intruder.

From GovernmentExecutive.com:

“This was a very bad day,” said Clem during a panel discussion at the Information Processing Interagency Conference Tuesday. The breach continues to pose a threat, he added. “We don’t know when they’ll use the information they stole, [which was] an amazing amount, [including] processes and procedures that will be valuable to adversaries.”

Clem didn’t give any indication that the source of the attack was identified, nor did he provide details about what data was accessed. He noted that the network used by the office of John Grimes, Defense CIO and assistant secretary of networks and information infrastructure, is maintained separately, and therefore was not compromised.

“They used every tool they could against us,” Clem said at the Information Processing Interagency Conference. While Clem did not identify the source of the code, later reports identified it as most likely coming from the Chinese government.

From FCW.com (Federal Computer Worker):

It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.

“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.

The Pentagon manages around 70,000 illegal-entry attempts daily that range from small innocuous probes to full-blown attack attempts. Attackers know, often within minutes, when a new server or new software is introduced.

Also from FCW.com:

Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.

Information technology security has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”

The information provided by Dennis Clem in this presentation tells us a few things. It tells us that the government tried hard to avoid the hack but were met with a determined foe. It tells us that the government was taking steps to improve their situation even while being attacked. It tells us that while the government employs some pretty bright people, anyone can be vulnerable. And the government is a target.

What is the right approach? What would you have done different to mitigate an attack in progress? What steps does your company take to avoid a breach?

——————————————————————————–

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

Sebastien Boucher was stopped at the United States - Canadian border on Dec. 17, 2006. At that time, agents inspecting his computer said that they found files containing child pornography. Boucher was promptly arrested, but when the authorities tried to access the files, they ran into the PGP encryption program.

Boucher, a 30-year-old drywall installer, is a Canadian with U.S. residency in New Hampshire where he works. When he was stopped, he assisted agents in the initial inspection, which revealed files with names such as “Two-year-old being raped during diaper change” and “pre-teen bondage.”

Boucher admitted to downloading pornographic images from the Internet through a news board but stated that he unknowingly downloaded images of child pornography. He claimed that he deleted images of child pornography when he realized it, according to an affidavit filed by Immigration and Customs Enforcement.

According to federal Magistrate Jerome Niedermeier on Nov 29, 2007, “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop. The password is not a physical thing. If Boucher knows the password, it only exists in his mind.”

On the face of it, this case is simple — a person trying to carry pornographic images of children across an international border. The catch is whether the courts can compel him to voluntarily abandon his rights under the Fifth Amendment.

From the Globe and Mail:

Orin Kerr, a law professor and computer crime expert at George Washington University, said the distinction that favours the government in Boucher’s case is that he initially co-operated and let the agent look at some of the laptop’s contents.

“The government can’t make you give up your encryption password in most cases. But if you tell them you have a password and that it unlocks that computer, then at that point you no longer have the privilege,” he said.

Tien, the attorney with the Electronic Frontier Foundation, said a person’s right to keep a password secret is a linchpin of the digital age.

Encryption is “really the only way you can secure information against prying eyes,” he said. “If it’s too easy to compel people to produce their crypto keys, it’s not much of a protection.”

Another point to consider is that if Magistrate Niedermeier’s ruling is allowed to stand, the result could be “dangerous” for law enforcement. According to Mark Rasch, a privacy and technology expert with FTI Consulting and former federal prosecutor, “If it stands, it means that if you encrypt your documents, the government cannot force you to decrypt them. So you’re going to see drug dealers and pedophiles encrypting their documents, secure in the knowledge that the police can’t get at them.”

At the end of the day, we have to consider some truly gripping questions. First, we have to recognize that the rule of law is the rule of law for all. If you fall into U.S. jurisdiction, you are subject to whatever ruling is mandated as “law” on this question.

If we say that by encrypting the files, the individual had a reason to believe that the information should be private, is it okay to say that when the individual is a suspected terrorist? Or pornographer? Or senior business official? Is one better than another?

If we decide that a person’s Fifth Amendment rights are inconsequential, are they always inconsequential? Are we then compelled to self-implicate? Where does the Fifth fit in?

This brings us to some crucial underlying questions — Where is the line, and HOW do we draw it? Or is the question HOW do we define the line? Can law truly BE case-by-case?

While the first person to test existing law has an unsavory rationale, I have to ask- would you care more if the files under fire were private business documents? Would you feel differently if they were personal documents between you and your significant other? Would you feel differently if they were personal documents between you and your terrorist cell?

How do you think these documents should be handled? Because of their very nature, it seems as if each incident should be considered on its own merits, but how do we define the supporting law?

This isn’t about one guy with questionable content on his laptop. It is much deeper, and the impacts of the answers are far-reaching.

Can you excuse pornography, even child pornography, to keep your business safe? How about your country? How do we define the boundaries, and what is our message to the law makers? How about to law breakers?

More information:

In Child Porn Case, a Digital Dilemma (Washington Post)

Child-porn case hinges on laptop’s password (Orlando Sentinel)

Encrypted laptop poses privacy dilemma (CIO Today)

Retirement should be the time when you step away from the work world and relax. Retired police chief Jim Murray intended to do just that. And then he bought a personal computer.

From Yahoo:

[But] the 69-year-old retired police chief of this small Missouri town cuts a credible figure as a 13-year-old girl surfing the Web, looking for friends. He knows all the instant-messaging shorthand, the emoticons.

Murray’s retirement job from a rural home office has netted 20 arrests since he started in 2002. His latest catch was the biggest: four felony enticement charges against a town mayor, who after his arrest called Murray up and begged him to make the case go away.

Nineteen other defendants have included a Missouri furniture company executive, an Arkansas professor and a Tulsa, Okla., school security guard. Ten of those men have been convicted and sent to prison. One was deported. The other cases are still pending.

The defendants ranged in age from 24 to 62, with an average age of 39.4 years, and mainly come from Missouri, Arkansas and Oklahoma, Diamond police said.

While the good work that Mr. Murray is doing is obvious, what drew my attention was the fact that, until he retired in 2000, he didn’t have any computer experience. When he discovered chat rooms, he was angered to be offered pictures of young girls.

Continued from Yahoo:

He contacted experts in the field of Internet sting operation and got training from the National White Collar Crime Center on basic computer data recovery.

Now, Murray patrols the Web from a cramped home office divided between his police computer and a personal computer ringed with photos of his six grandchildren and three adult kids.

Murray remains a detective on reserve status with the Diamond police but he donates his investigation time. He says he only spends about 30 minutes a week on average in chats but several hours more going over hard drives of arrested suspects looking for contacts with other potential victims.

It’s good to know that there is life after retirement. It is better to know that there are people out there thinking of the safety of children on the Internet.

As a technology professional, is this kind of work something that you would consider doing after you retire?

An American Bar Journal eColumn article brings us relevant revelations about Vista’s improved ability to provide evidence for court.

Innovations within Vista apparently make it far easier to find evidence on PCs. Chief among those are Shadow Copy, Transactional NTFS, and Instant Search.

(more…)

A three-judge panel of the Sixth Circuit of the United States Courts ruled today that e-mail is protected, and law enforcement now requires a warrant before searching e-mail archived at ISPs.

The Supreme Court rarely overturns that heartland circuit, just as its three-judge panels are rarely overruled by the entire appellate panel of the Circuit. Civil liberties confirmed by this heartland court are not easily overturned, so this decision is solid and unlikely to face challenge.

The Electronic Frontier Foundation, the ACLU, the Center for Democracy and Technology, and a coalition of Internet law professors spoke on the behalf of civil rights and argued that e-mail is a vital communication tool. Users’ e-privacy must bear constitutional protection to assure Americans free speech and un-stifled debate.

This overturns the Reagan-era Stored Communications Act (SCA) provisions, which allowed warrantless seizure of e-mail without requiring investigation subjects be aware of the search (and so having no chance to protest). So, ISP operators have one burden lifted, the SCA requirement not to tell their customers of e-mail search. One EFF legal expert termed the no-notice warrants “…absolutely routine. It is and has been the Department of Justice and presumably local law enforcement’s standard practice for obtaining e-mails over the last 20 years.”

Will the administration’s Justice Department use its shrinking credibility in further appeal in quest for the right to open your e-mail without a warrant and without notice, especially when facing e-mail woes of its own? Should the Congress restore no-notice, no-warrant search of your inbox without judicial review? Join the discussion.

It’s a no-brainer that Internet threats will continue to grow in frequency and sophistication, despite the technological advances to combat them. This News.com story discusses the severity of the situation: ”Online threats outpacing law crackdowns.”

According to the article, “Cybercrooks are organizing better and moving to more sophisticated tactics to get their hands on confidential data and turn PCs of unwitting users into bots.” This makes perfect sense, doesn’t it? The better we get at protecting our systems, the more of a challenge the game becomes for cybercrooks. I don’t see this perpetual cycle ending any time soon - or ever, for that matter.

I did think it was interesting that the article pointed out another obvious fact, heeding this warning to greedy cybercrooks: “People being caught today operate networks of as many as 1 million PCs. ‘There is a greater chance that you’re going to get caught, if you do that much activity and command and control that many computers,’ [quote by Wendi Whitmore, special agent, Air Force Office of Special Investigations].” So, all of you cybercrooks out there, keep thinking… but think small if you want to increase your chances of not getting caught!

According to a News.com story, Microsoft’s Web site will include training, tips, and tools for investigations and information on cybercrime. This new Law Enforcement Portal should be online by November.  Here’s the complete story: “New Microsoft portal will help cops” (http://techrepublic.com.com/2100-1009_11-5845205.html)

I keep thinking about Microsoft’s ongoing security problems. Who’s going to help them?  

So, it looks like they arrested a couple young men who were suspected of creating both the Mytob and Zotob worms:

http://techrepublic.com.com/2100-1009_11-5843583.html 

It’s hard to believe that an 18-yr old (Farid Essebar, a Moroccan national born in Russia) and a 21-yr old (Atilla Ekici, a Turkish resident) could be responsible for such wide-spread destruction. My son is nine, and the only kind of worms he’s interested in are the type you use to bait your hook when you go fishing (yes, that’s fishing with an “f”).