Friday, March 05, 2010

RSA 2010: Hackers Using Legitimate Cloud Services for Dark Ends

Iain Thomson writes on

Hacking groups are using legitimate cloud offerings such as Amazon Web Services to facilitate malware creation and password cracking, delegates at RSA 2010 were told.

The Russian Business Network (RBN), one of the most powerful and extensive malware and hacking organisations, has been buying time on Amazon's EC2 platform to build malware and attack passwords, according to Ed Skoudis, founder of security consultancy InGuardians.

"Bad guys can use the cloud to improve operations just as we can. The RBN has been using Amazon for the same kind of benefits as the good guys," he said.

"It gives them enormous password hacking tools, and can be used in massive search engine optimisation poisoning attacks."

The RBN, based in northern Russia, is one of the biggest and most professional hacking groups in the world.

More here.

Spamhaus: Microsoft's Botnet Cull Had Little Effect

Tom Espiner writes on ZDNet UK:

The throttling of Waledac, which Microsoft claimed to have achieved by means of legal action last week, has led to no appreciable reduction of junk mail coming from the botnet, anti-spam organisation Spamhaus told ZDNet UK on Tuesday.

"The amount of spam coming from Waledac [before the takedown] was less than one percent [of all spam], and that hasn't changed much," said Spamhaus chief information officer Richard Cox. "There's been a slight change, nothing major, and we would expect it to be a lot different."

More here.

Thursday, March 04, 2010

Quote of The Day: Shane Harris

"If you could jump in a time machine and go back to 1983 and say to somebody in the intelligence community, 'You know one day there will be this grand electronic database of names, and it will show who everyone is connected to and what their hobbies are and where they're going today, and where they've been, and it's going to be called the Facebook,' they would have asked 'When did the Russians win the war and when did this kind of system come into place?' That would be considered almost totalitarian and Orwellian in a sense."

- Shane Harris, author of a new book called "The Watchers: The Rise of the America's Surveillance State", in an interview with Reason's Katherine Mangu-Ward.

White House Cyber Czar: 'There Is No Cyberwar'

Ryan Singel writes on Threat Level:

Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

More here.

New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

Kelly Jackson Higgins writes on Dark Reading:

Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

Joe Stewart, a security researcher with SecureWorks, says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers' online banking credentials and then wages a distributed denial-of-service (DDoS) attack on the banks as a cover: "They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS," Stewart says.

Dubbed by Stewart as "BlackEnergy 2," this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to Stewart.

More here.

FBI Embeds Cyber-investigators in Ukraine, Estonia

Robert McMillan writes on PC World:

Hoping to catch cybercrooks, the U.S. Federal Bureau of Investigation has begun embedding agents with law enforcement agencies in Estonia, the Ukraine and the Netherlands.

Over the past few months, the agents have begun working hand in hand with local police to help crack tough international cybercrime investigations, said Jeffrey Troy, chief of the FBI's Cyber Division, in an interview at the RSA Conference in San Francisco. Because virtually all cybercrime crosses international borders, this type of cooperation is crucial, law enforcement experts say.

The embedding was inspired by a successful operation in Romania, begun in 2006, which led to close to 100 arrests. "We looked at that and said, 'Where else can we do this,'" said Troy, who heads up FBI cybercrime operations.

The FBI has a history of embedding its agents with international police. In the 1980s, U.S. agents worked with Italian law enforcement to crack mob cases that involved the two countries. "This is not a new model, but it's certainly new to cyber," Troy said.

More here.

'Mariposa' Botnet Authors May Avoid Jail Time

Brian Krebs:

Three Spanish men were arrested last month for allegedly building an international network of more than 12 million hacked PCs that were used for everything from identity theft to spamming. But according to Spanish authorities and security experts who helped unravel the crime ring, the accused may very well never see the inside of a jail cell even if they are ultimately found guilty, due to insufficient cyber crime legislation in Spain.

According to Spanish security firm Panda Security, the massive botnet, dubbed “Marioposa” (Spanish for “butterfly”), was rented out to criminals as a delivery platform for installing malicious software such as the data-stealing ZeuS Trojan and pay-per-install toolbars. Panda said the gang, also stole directly from victim bank accounts, using money mules in the United States and Canada, and laundered stolen money through online gambling Web sites (pictured above is a screen shot of the Web site the men created where would-be Mariposa customers could visit for information on purchasing access to the botnet and other criminal services.)

Panda said Mariposa helped crooks steal sensitive data from more than 800,000 victims, including home users, companies, government agencies and universities in at least 190 countries. Spanish police estimate that at least 600,000 of the victimized PCs belong to Spanish citizens, and yet they concede it may be extremely challenging to put the men in jail if they are convicted at trial.

“It is almost impossible to be sent to prison for these kinds of crimes in Spain, where prison is mainly for serious crime cases,” said Captain Cesar Lorenzana, deputy head technology crime division of the Spanish Civil Guard. “In Spain, it is not a crime to own and operate a botnet or distribute malware. So even if we manage to prove they are using a botnet, we will need to prove they also were stealing identities and other things, and that is where our lines of investigation are focusing right now.”

More here.

Monster Botnet Held 800,000 People's Details

John Leyden writes on The Register:

The Mariposa botnet had the power to dwarf Georgia and Estonia cyberattacks if it had been used to launch denial of service attacks, say Spanish police.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed “Netkairo”, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Coruña. None of the suspects have been named at this stage of proceedings.

In a statement, Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who's possibly based in Venezuela.

More here.

Wednesday, March 03, 2010

Details of 'Einstein' Cyber Shield Disclosed by White House

Siobhan Gorman writes in The Wall Street Journal:

The Obama administration lifted the veil Tuesday on a highly-secretive set of policies to defend the U.S. from cyber attacks.

It was an open secret that the National Security Agency was bolstering a Homeland Security program to detect and respond to cyber attacks on government systems, but a summary of that program declassified Tuesday provides more details of NSA’s role in a Homeland program known as Einstein.

The current version of the program is widely seen as providing meager protection against attack, but a new version being built will be more robust–largely because it’s rooted in NSA technology. The program is designed to look for indicators of cyber attacks by digging into all Internet communications, including the contents of emails, according to the declassified summary.

Homeland Security will then strip out identifying information and pass along data on new threats to NSA. It will also use threat information from NSA to better identify emerging cyber attacks.

More here.

'Google' Hackers Had Ability to Alter Source Code

Kim Zetter writes on Threat Level:

The hackers who targeted Google and other companies in January targeted the source code management systems of companies, allowing them to siphon source code as well as modify it, according to a new report.

More importantly, systems that the companies used to develop and manage their source code have numerous security flaws that would allow easy compromise of a company’s intellectual property. The same systems are used by numerous other companies who may not realize that their source code is open to attack.

The white paper [.pdf], released by security firm McAfee during this week’s RSA security conference in San Francisco, provides a couple of new details about the attacks, dubbed Operation Aurora, that affected some 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and also provided information to Google about malware that was used in the attacks.

According to the paper, the hackers gained access to software configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s software product. Stealing the code would also allow attackers to examine the source code for vulnerabilities in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.

More here.

RSA Panel: No Easy Solution for Zeus Trojan, Banking Malware

Marcia Savage writes on

The Zeus Trojan has been keeping David Shroyer up at night. The sneaky, ever-changing malware comes in many variants and is constantly finding ways to evade detection, said Shroyer, vice president of online security and enrollment at Bank of America.

"The complexity of the Trojan is what makes it so scary," he said during a panel discussion on banking malware Tuesday at the RSA Conference. New solutions to fight the threat can quickly become outdated, he added.

Bank of America does a lot of threat scoring; last year, phishing was the top threat facing its customers. But this year, in the wake of Zeus, "The customer endpoint has become the number one threat," he said.

Cybercriminals have been using the Zeus Trojan to steal online banking credentials, and researchers say the highly customizable and easily obtainable malware kit has proven to be particularly successful. Small and midsize businesses have been especially hard hit by online banking fraud triggered by password-stealing malware.

More here.

Microsoft's Charney Suggests 'Net Tax to Clean Computers

Robert McMillan writes on PC World:

How will we ever get a leg up on hackers who are infecting computers worldwide? Microsoft's security chief laid out several suggestions Tuesday, including a possible Internet usage tax to pay for the inspection and quarantine of machines.

Today most hacked PCs run Microsoft's Windows operating system, and the company has invested millions in trying to fight the problem.

Microsoft recently used the U.S. court system to shut down the Waledac botnet, introducing a new tactic in the battle against hackers. Speaking at the RSA security conference in San Francisco, Microsoft Corporate Vice President for Trustworthy Computing Scott Charney said that the technology industry needs to think about more "social solutions."

That means fighting the bad guys at several levels, he said. "Just like we do defense in depth in IT, we have to do defense in depth in [hacking] response."

"I actually think the health care model ... might be an interesting way to think about the problem," Charney said. With medical diseases, there are education programs, but there are also social programs to inspect people and quarantine the sick.

More here.

Spain Busts Hackers for Infecting 13 Million PCs

A Reuters newswire article, via Threat Level, reports:

Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security.

“It was so nasty, we thought ‘We have to turn this off. We have to cut off the head,’” said Chris Davis, CEO of Defense Intelligence, which discovered the virus last year. He added that the ring was shut down on December 23.

More here.

Monday, March 01, 2010

Cyberwar Hype Intended to Destroy the Open Internet

Ryan Singel writes on Threat Level:

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering: McConnell is the nice-seeming guy who is willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those not in the know.

When he was head of the country’s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military’s black budget so they can start making firewalls and malware into military equipment. And now McConnell, back safely in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton, is out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet.

More here.

Wiseguys Indicted in $25 Million Online Ticket Ring

Kim Zetter writes on Threat Level:

A ring of ticket brokers has been indicted in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.

The defendants made more than $25 million in profits from the resale of the tickets between 2002 and 2009.

According to the 43-count federal indictment [.pdf] unsealed Monday in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and put in place to thwart automated ticket buying.

The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks.

Wiseguy often obtained so many premium tickets for an event that it was the leading source for the best tickets to some of the most popular events, according to prosecutors. They allegedly purchased tickets to Miley Cyrus, Barbra Streisand, Bon Jovi and Bruce Springsteen concerts, as well as tickets to the Rose Bowl football game in 2006 and the 2007 Major League Baseball playoffs at Yankee Stadium.

In 2007, the owners offered employees a 100 percent salary bonus if the company met a goal of purchasing 1 million tickets of a certain value, the authorities said.

More here.

Info on U.S. Website for Medical Data Thefts is Bare-Bones

David Lazarus writes in The Los Angeles Times:

The medical records of more than 18,000 patients of at least five Torrance doctors were potentially accessed by cyber-thieves on a single day in September, but this is probably the first you're hearing of it.

Although a new federal law requiring greater disclosure of medical-data security breaches was passed a year ago, it wasn't until recently that the Department of Health and Human Services began posting specific incidents online.

And the feds aren't exactly being generous with details about people's confidential medical info being hacked or going astray.

In the Sept. 27 Torrance cases, for example, were the doctors in the same office? Were they in the same building? Did they share a single computer? Did they share office staff? Or was it just a fluke that five local doctors' offices were hit by cyber-thieves on the same day?

More to the point, were people's Social Security numbers involved? What about billing information?

The Health and Human Services database doesn't include this information. Nor does it identify the doctors involved.

More here.