Thursday, May 22, 2008

Programming Note: APWG CeCOS II



So I'm headed for Tokyo tomorrow for the Anti-Phishing Working Group's Second Annual Counter eCrime Operations Summit (CeCOS II).

Needless to say, blogging will be light-to-non-existent for a few days. I''ll be back next week, and things should get back to normal insofar as the blog goes.

Cheers!

- ferg

Wednesday, May 21, 2008

Pentagon Plan: 'Eliminate' Space, Cyberspace Threats

Noah Shachtman writes on Danger Room:

The Pentagon's spies are looking to "eliminate" opponents' abilities to strike from space, or online. A new plan from the Undersecretary of Defense for Intelligence, retired Gen. James Clapper, warns that the "current patchwork of passive defense" in cyberspace "is likely to fail in the face of greater vulnerabilities and more sophisticated threats. Defense intelligence must do its part to defeat this critical threat."

In recent months, military officials have been issuing shrill warnings about attacks from space and cyberspace -- and darkly promising massive and devastating retribution, if the United States is struck. A recently-luanched Air Force program is searching for "full control" of "any and all" computers. "Every potential adversary, from nation states to rogue individuals... should be compelled to consider... an attack on U.S. systems resulting in highly undesirable consequences to their own security," a recent Defense Department report notes.

More here.

SANS Contributes $1M, Expertise to Global Cyber Security Group

Wilson P. Dizard III writes on GCN.com:

The SANS Institute has announced a $1 million contribution to the International Multilateral Partnership Against Cyber-Terrorism (IMPACT) and started sharing technical information with the organization.

The two groups plan to expand developing countries’ online security resources, they said yesterday in an announcement issued at the IMPACT World Cyber Security Summit in Kuala Lumpur, Malaysia.

IMPACT and SANS plan to start by launching the Improved Cyber Defenses Though Cybersecurity Training and Skills Development activity. That project will conduct hands-on courses in core cybersecurity activities such as forensics, intrusion detection and penetration testing, they said.

The training project is aimed at providing world-class training to cybersecurity specialists working in every country, regardless of income level.

More here.

Boondoogle: Plan to Reduce Cell Phone Cancellation Fees Draws Criticism

An AP newswire article, via The Los Angeles Times, reports that:

A proposal for the government to help cell phone customers avoid expensive fees when they cancel contracts with wireless companies may go down in flames after consumer advocates protested today that it isn't generous enough.

Cell phone companies routinely charge customers $175 or more for quitting their service early. Under a proposal to the Federal Communications Commission, the wireless industry would give consumers the opportunity to cancel service without any penalty for up to 30 days after they sign a cell phone contract or until 10 days after they receive their first bill, among other provisions.

In exchange for the government's approval, the agreement would let cell phone companies off the hook in state courts where they are being sued for billions of dollars by angry customers. If approved by the FCC, the proposal also would take away the authority of states to regulate the charges, known as early termination fees.

More here.

SCADA Watch: U.S. Lawmakers See Cyber Threats to Electrical Grid

Grant Gross writes on PC World:

The U.S. electrical grid remains vulnerable to cyber attacks that could cripple the economy, and the organization responsible for regulating electrical suppliers doesn't appear to be serious about fixing the problems, some U.S. lawmakers said Wednesday.

U.S. Representative James Langevin and other members of the House of Representatives Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology questioned whether the North American Electric Reliability Corp. (NERC), an electric industry group tasked with ensuring electric reliability, is doing its job.

NERC officials last October painted a "misleading" and rosy picture of the U.S. electric system's readiness for cyber attacks, said Langevin, a Rhode Island Democrat and chairman of the subcommittee. But Langevin has "little confidence" that the U.S. electrical grid has fully addressed the so-called Aurora vulnerability, a cyber attack aimed at shutting down electric utilities' generators or other equipment, he said.

More here.

OECD: U.S. Sinks to 15th Place Worldwide in Broadband

Jacqueline Emigh writes on BetaNews:

In broadband access, the United States has now slipped from twelfth to fifteen place versus other countries, according to new research released this week by the Organisation for Economic Cooperation and Development.

The OECD study points to factors ranging from pricing to download speeds as possible reasons why the US may be losing ground, at least compared against other countries. Unlike some other broadband studies, which compare access rates across wider numbers of countries, the OECD research looks only at penetration rates among its own 30 member nations.

The US actually placed first in terms of total numbers of broadband subscribers. But the OECD's penetration rates are based on numbers of broadband subscribers per 100 inhabitants.

By these statistics, the US has continued a comparative slide for the past six years, ranking in fourth place in 2001, twelfth place in 2006, and now, according to the OECD's latest figures, fifteenth place by the end of 2007.

More here.

Consumers Have Great Expectations for Online Security

Paula Damiano writes on Bank Systems & Technology:

Despite banks' best efforts to improve online security, their defenses are only as strong as their customers' security habits. Unfortunately, even though consumers recognize their role in keeping their sensitive information safe, they often don't take the necessary precautions — and still hold their financial institutions responsible for a security breach, according to a new Accenture study.

The global consulting firm's survey of U.S. and U.K. consumers' Internet security perceptions reveals that consumers have a Jekyll and Hyde attitude toward online security. While 88 percent of survey respondents believe that personal irresponsibility (i.e., the improper sharing or disposing of sensitive information) is the cause of identity theft, nearly half admit to laxness in password security practices — such as using the same password on multiple accounts. Still, one in four respondents would close a bank account immediately if a security breach occurred.

More here.

Australia Crumbles Under Cyber Storm II Attack

Liam Tung writes on ZDNet.com.au:

The 55 Australian organisations that took part in Australia's cyberwar games, Cyber Storm II [.pdf], suffered "death by a thousand cuts", according to the head of Australia's Cyber Storm II effort.

Speaking at day three of the AusCERT 2008 security conference, Steven Stroud, head of Australia's Cyber Storm effort and director of e-security exercises at the Attorney General's Department, told delegates that the incident response teams of participating organisations often became short-sighted under the simulated attacks, leading to chains of command crumbling, careless mistakes, and the loss of vital information.

"A lot of organisations wanted to exercise senior incident response (IR) boards, and to do that they had to create a crisis on the shop floor. What they found out was, that it was very hard to get people to escalate. The IR teams were putting out spot fires here and there and no one took a step back to see the whole house was on fire," he told delegates.

More here.

'Phishing Piers' - Phishers Turn to Legit Sites to Steal Information

Dan Kaplan writes on SC Magazine US:

Phishers have discovered a new way in which to launch phishing attacks that will allow the assaults to persist for much longer than usual.

They are turning to infiltrating legitimate websites on which to host their attacks -- a technique known as "hack-and-pier," according to Finnish anti-virus firm F-Secure.

Normally, internet service providers take down fraudulent websites within 24 hours, according to research, but when an authentic site is the culprit, much more work is involved.

"The site cannot simply be pulled offline without collateral damage to the legitimate business," Sean Sullivan, a technical specialist at F-Secure, said Wednesday on the company's blog. "So the website's administrator must be contacted to repair the damage."

More here.

Tuesday, May 20, 2008

SCADA Watch: GAO Says TVA Power Plants Vulnerable to Cyber Attacks

Brian Krebs writes in The Washington Post:

The Tennessee Valley Authority (TVA), the nation's largest public power company, is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office report to be released today.

The report [.pdf] was requested by a House Homeland Security panel on cyber security, which is expected to hear testimony today from the Federal Energy Regulatory Commission about gaining additional authority to require electric utilities to implement added cyber-security measures.

The GAO found that TVA's Internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. As a wholly owned federal corporation, TVA must meet the same computer security standards that govern computer practices and safeguards at federal agencies.

The GAO also warned that computers on TVA's corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

More here.

What Makes a Cyber Criminal?

Via The BBC.

Fabio's small frame is hunched over an ancient computer screen in a dingy internet cafe in one of the favelas of Sao Paulo. He is learning the basic skills needed to commit crime online.

Fabio - not his real name - is taking his online lessons from experienced computer hackers. He is disarmingly matter-of-fact about his new career.

"I buy small things - mobile phones, cameras - so that people don't even know I've been using their credit cards," he explains.

Fabio is a low-level frontline operative in a rapidly expanding battle taking place in the virtual world. For the moment, he is unlikely to be caught because he is restricting himself to the regular theft of small amounts of money.

More here.

Pro-Serbian Hacktivists Attacking Albanian Websites

Dancho Danchev writes on the ZDNet "Zero Day" Blog:

The ongoing monitoring of pro-Kosovo hacking groups indicates an ongoing cyberwar between pro-Serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

According to Serbian hacking groups, independent Albanian web site defacers initially started attacking their sites later on joined by Kosovo Hacking group. In response, Serbian hacking groups have started distributing a segmented list of remotely exploitable Albanian sites and encouraging others to join the initiative and attempt to deface the sites.

More here.

Permanent Denial-of-Service Attack Sabotages Hardware

Kelly Jackson Higgins writes on Dark Reading:

You don’t have to take an ax to a piece of hardware to perform a so-called permanent denial-of-service (PDOS) attack. A researcher this week will demonstrate a PDOS attack that can take place remotely.

A PDOS attack damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the infamous distributed denial-of-service (DDOS) attack -- which is used to sabotage a service or Website or as a cover for malware delivery -- PDOS is pure hardware sabotage.

More here.

The Estonia Cyber War: One Year Later

Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:

One year ago, the Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis, a move that may have triggered what some believe is the first instance of a sustained, international cyberwar.

Now, Gadi Evron, a security evangelist for Beyond Security who was in Estonia at the time of the attacks, has revisited the events with an article in the Georgetown Journal of International Affairs and reprinted here [.pdf] online.

Evron said what could be described as a "flash mob" created the disturbances in the Estonian Internet during May 2007. "Not only did the cyber riot start almost simultaneously with the actual riots, fresh posts in the Russian-language blogosphere continuously appeared with new targets and instructions. These details suggest that the cyberattackers reacted to Estonian defenses," he wrote.

More here.

Boehner Wants Protection From Illegal Wiretapping - But Only For Himself

U.S. House Minority Leader John Boehner (R-Ohio)

Via EFF.org.

The blatant hypocrisy on display here is stunning.

When ordinary Americans were being wiretapped, Boehner's attacked them and their right to privacy, claiming "I believe (phone companies) deserve immunity" from the law. But when Boehner himself was being wiretapped, he had no hesitation to claim his own right to privacy, claiming "no one is above the law."

When ordinary Americans are victimized, Boehner's taken every opportunity to caricature their representatives at EFF and ACLU as "unscrupulous trial lawyers" who are "trying to find a way to get into the pockets of the American companies." But when Boehner himself is the victim, suddenly defense attorneys don't seem so unscrupulous to him, and he has no problem employing his own litigators to receive a $1.1 million reward.

More here.

Study: Patient Health Care Data At Risk

Greg Masters writes on SC Magazine US:

A new report on the security of the personal information of health care patients was just released and it indicates that steps need to be taken and rules enforced.

Among the findings of the 2008 HIMSS Analytics Report: Security of Patient Data [.pdf], commissioned by Kroll Fraud Solutions, is that patient data collected and stored in hospitals and health care facilities is a prime target for malicious data hunters.

The patient records in these facilities include the golden combination that data fraudsters require -- names, Social Security numbers and dates of birth. Records also contain mailing address, insurance policy information, medical history and sometimes credit card and financial information used to expedite billing and payment – “more data in one record than those of any other source such as banks, schools or HR departments.”

More here.

U.S. Army Aims to Take Guesswork Out of Cyber Defense

William Jackson writes on GCN.com:

The Army Research Office (ARO) is funding work by a consortium of private companies to develop predictive technologies that could improve the efficiency of cybersecurity tools.

The idea is to create a global system to gather and correlate security events, giving users early warning about coming attacks and aiding in the configuration of sensors, filters and other devices that detect and respond to these events, said Livio Ricciulli, chief scientist at MetaFlows, of Redlands, Calif.

MetaFlows is a member of the Cyber-Threat Analytics (Cyber-TA) project, funded by ARO. The goal of this program is a commercial service that could be used to help program security devices.

“Obviously, there is a heavy focus on making it meet Army requirements as well,” Ricciulli said. “But there definitely is a commercial component.”

More here.

U.S. Federal Government Earns 'C' on Computer Security Report Card

Brian Krebs writes on Security Fix:

The federal government earned an overall grade of "C" for securing its computer systems and networks from cyber attack last year, a slight improvement from the "C-minus" mark the government was given in 2006.

The report cards [.pdf] were issued today by Rep. Tom Davis of Virginia, the ranking Republican on the House Committee on Oversight and Government Reform.

Nine agencies earned failing grades for 2007, including the departments of Agriculture, Commerce, Defense, Interior, Labor, Transportation, Treasury, Veterans Affairs, as well as the Nuclear Regulatory Commission. The grades are based on data submitted by the agencies and agency inspector generals to the White House for fiscal year 2007.

More here.

UK: 'Big Brother' Database for Phones and e-Mails

Richard Ford writes in The Times Online:

A massive government database holding details of every phone call, e-mail and time spent on the internet by the public is being planned as part of the fight against crime and terrorism. Internet service providers (ISPs) and telecoms companies would hand over the records to the Home Office under plans put forward by officials.

The information would be held for at least 12 months and the police and security services would be able to access it if given permission from the courts.

The proposal will raise further alarm about a “Big Brother” society, as it follows plans for vast databases for the ID cards scheme and NHS patients. There will also be concern about the ability of the Government to manage a system holding billions of records.

More here.

Monday, May 19, 2008

Internal Cisco File Raises Censorship Concerns

Glenn Kessler writes in The Washington Post:

Cisco Systems, seeking to penetrate the Chinese market, prepared an internal marketing presentation in which it appeared to be willing to assist the Chinese Ministry of Public Security in its goal of "combating Falun Gong evil cult and other hostile elements," according to a translation of a document obtained by congressional investigators.

The Cisco presentation will take center stage today at a hearing of the Senate Judiciary Committee on the Global Internet Freedom Act, which aims to defeat Internet censorship. The Washington Post obtained a copy of the presentation, the authenticity of which was confirmed by Cisco.

Falun Gong is a spiritual movement that has been harshly repressed by the Chinese government, which claims the group is engaged in illegal activities.

In its PowerPoint presentation, Cisco referred to the Chinese government's project to control the Internet, including its use by groups such as Falun Gong. After a slide referencing the crackdown on Falun Gong, the next slide proclaims: "Cisco Opportunity: High start-point planning, High standard construction, Technical training, Security and operation maintenance."

More here.

AusCERT: Online Users Lack Security Skills

Karen Dearne writes on Australian IT:

A first-time survey of ordinary users' online behaviour has revealed dangerous misunderstandings about internet safety and a lack of security skills that results in one in five home computers being infected by malicious software.

Seventy-five per cent of home users routinely connect to the internet using an administrator account, and 54 per cent stay permanently connected - both poor security practices that make life easy for attackers, warns Graham Ingram, general manager of Australia's national computer emergency response team, AusCERT.

While 84 per cent use their computer for internet banking, 66 per cent for electronic payments, and 52 per cent for buying and selling online, the AusCERT Home Users Computer Security Survey found 11 per cent of respondents never updated their operating system - overwhelmingly Microsoft Windows XP - while 8 per cent never updated their anti-virus software.

Thirty per cent of 1001 respondents to the survey, conducted by Nielsen, admitted to clicking on links in spam email, 35 per cent connected to risky peer-to-peer networks for file-sharing, and 5 per cent piggybacked on a neighbour's unsecured WiFi access point.

More here.

'Firefox Ponders Suicide'

Andrew Orlowski writes on The Register:

The Phorm bug is spreading. The idea of collecting a user's browsing history and flogging that data doesn't just appeal to ISPs. The Mozilla Foundation, the people behind the Firefox browser, want some of that action too.

The Foundation is officially a tax exempt non-profit - but still manages to pay its chairperson $500,000 a year. Executives last week confirmed they are working on a project referred to internally as "Data". This would gather anonymised data on a voluntary basis, and provide the analytical information for anyone who wanted it.

More here.

'Main Core': Enemies of The State Database

Christopher Ketcham writes on RadarOnline.com:

According to a senior government official who served with high-level security clearances in five administrations, "There exists a database of Americans, who, often for the slightest and most trivial reason, are considered unfriendly, and who, in a time of panic, might be incarcerated. The database can identify and locate perceived 'enemies of the state' almost instantaneously."

He and other sources tell Radar that the database is sometimes referred to by the code name Main Core. One knowledgeable source claims that 8 million Americans are now listed in Main Core as potentially suspect. In the event of a national emergency, these people could be subject to everything from heightened surveillance and tracking to direct questioning and possibly even detention.

More here.

Hat-tip: Boing Boing

Yet More Mass SQL Injection Attack Targets Chinese Websites

Sumner Lemon writes on InfoWorld:

Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.

First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei.

"The attack is ongoing, ... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites," Huang said.

More here.

38 in U.S., Romania Charged in Phishing Schemes

Grant Gross writes on InfoWorld:

Thirty-eight people in the U.S. and Romania have been charged in two indictments alleging they used complicated Internet phishing schemes to steal thousands of credit and debit card numbers, U.S. and Romanian authorities announced Monday.

The indictments, in U.S. District Court for the Central District of California and the District of Connecticut, focus on two related phishing schemes with ties to organized crime, the U.S. Department of Justice said. Phishing involves sending e-mail messages that look like official correspondents from banks or credit card vendors in an attempt to get recipients to go to a fake Web site and enter their account numbers.

More here.

Sunday, May 18, 2008

Off Beat: Are We the Bastard Children of RAND?

Alex Abella writes on The History News Network:

Sixty years ago this May an obscure team of defense research scientists quietly incorporated into an organization that would rewrite world history. They kept the cryptic acronym they had given themselves when they were a top Pentagon project —RAND, as in Research and Development—and set up shop in an abandoned newspaper plant by the beach in Santa Monica, California.

Within the span of a few years RAND had become what the Soviet newspaper Pravda dubbed ‘an academy of science and death,’ a place where defense intellectuals could, at their frightful leisure, dream up new ways to make war on America’s enemies. Soon its sway spread beyond the military sphere, extending to national defense, foreign policy, domestic issues and economic theory. Over the past sixty years, the think tank’s influence has been so pervasive that it is no exaggeration to say that all of us who live in the Western world can be called the bastard children of RAND.

More here.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Sunday, May 18, 2008, at least 4,080 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,326 died as a result of hostile action, according to the military's numbers.

The AP count is the same as the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Bush Budget Snubs FBI's Crime Squads

Paul Shukovsky and Daniel Lathrop write in The Seattle Post-Intelligencer:

Despite a powerful surge in bank robbery, mortgage fraud and white-collar crimes, the Bush administration's 2009 budget leaves an already handicapped FBI criminal program without the agents it needs to respond -- a shortcoming acknowledged by top FBI officials.

It's the latest chapter in the administration's terrorism trade-off -- a continuing trend of cannibalizing agents and resources from traditional crime squads to fight terrorism instead of spending enough money to do both.

President Bush's proposed budget doesn't add a dime to reinforce agents in the FBI's crime-fighting squads, which remain at least 1,700 agents below pre-9/11 levels, according to a Seattle P-I analysis.

But even partially restoring the FBI's crime-fighting capabilities isn't a priority, White House Deputy Budget Director Steve McMillin said Friday.

More here.

UK Government Rejects Chance to Set Up e-Crime Unit

Leo King writes on Computerworld UK:

The government has missed another opportunity to commit to an internet crime response unit, despite vowing to better police communications data in the interests of national security.

In the Communications Data Bill, part of draft legislation for the year, the government said it needed to react to technology developments including the growth in IP usage, and modify the ways in which it obtains and holds information passing over networks. But it made no mention of creating a police division that would focus on investigating and fighting online crime.

More here.

Image of Tha Day: Cell Phone Companies vs. How Much They Suck

Click for larger image.


Graph by Kyndra Woodbury, via GraphJam.

Google Assists In Arrest Of Indian Man

Michael Arrington writes on TechCrunch:

Today we’re hearing of another arrest, this time in India. 22-year-old IT professional Rahul Krishnakumar Vaid. His crime was writing in an Orkut community named “I hate Sonia Gandhi.” Sonia Gandhi is a prominent politician in India.

Vaid was charged under section 292 of Indian Penal Code and section 67 of the Information TVechnology Act because he created a profile and then posted content in vulgar language about Sonia Gandhi in the community.

During investigations, the cyber crime cell of Pune police communicated with Google (which owns Orkut) seeking details about the who formed this forum and circulated the obscene content. It was known that the vulgar message about Sonia Gandhi was circulated through an email address – Rahulvaidindia@gmail.com . The owner of the email id Rahul Vaid was traced, using information supplied by Google, to Chakarpur in Gurgaon city of Haryana.

More here.

Japanese P2P Virus Writer Convicted, Escapes Jail

Via GovTech.com.

Experts are questioning whether courts worldwide are giving consistent sentences to hackers following news that a Japanese man has escaped jail, despite admitting writing a virus that wiped music and movie files on innocent users' computers.

Masato Nakatsuji, who was revealed to be the first ever virus writer to be arrested in Japan when he was apprehended in January, admitted writing the malware which displayed images of popular TV anime characters while destroying data on third party computers. The malicious code was spread via the controversial Winny file-sharing system in Japan last year.

Today, Nakatsuji, a graduate student at Osaka Electro-Communication University, was found guilty in Kyoto District Court and sentenced to two years in jail. However, as the sentence is suspended for three years he will not have to serve any time in prison.

More here.