Why plug computers are a security nightmare

The increasing availability of low profile “wall-wart” plug computers like the SheevaPlug can be viewed as an emerging threat to physical network security. For $99, a budding industrial espionagist could buy the SheevaPlug developer kit or the consumer TonidoPlug, install some easily-available network intrusion testing software, and illicitly “test” the security of a competitor’s network.

While many of these techniques have been known for a while, the low form factor of plug computers and consumer netbooks, coupled with their rapidly decreasing price, could enable disposable intrusion tools and open new avenues for attack. The current $99 SheevaPlug has no wireless capability and limited storage, but the manufacture has just announced an expanded model with wifi, bluetooth, and an internal hard drive. Even without these advances, current generation plug computers can easily be expanded with a USB memory stick or external USB hard drive, USB wireless interface, and more. For little more than $100 one could make a practically undetectable wireless bug that can be deployed in seconds.

In fact, soon you may be able to just buy an all-in-one penetration plug computer, the PlugBot.

edit: as was pointed out to me after posting this article, the described device already exists and can tunnel out over 3G. http://pwnieexpress.com/pwnplug3g.html

With two wireless adapters and some simple software, a plug computer becomes a wireless bridge capable of automatically cracking wireless networks in range (both WEP and WPA are vulnerable these days; see aircrack). Most locations have multiple 3rd party networks overlapping their physical space, which, if cracked, could be used as back channels for the plug computer to phone home. The attacker could then tunnel into the company network undetected and completely bypass the company’s external defenses by routing through an available 3rd party wireless network. From the perspective of the attacked network, even if the intrusion is noticed, it appears to come from within their own physical space.

A number of other uses come to mind for such devices:
- Passive sniffing of internal network traffic using dsniff and sending it back to an attacker. Many networks aren’t sufficiently secured once you’re past the perimeter firewalls.
- Physically connect two ethernet interfaces and use the plug computer as a man-in-the-middle proxy to sniff all traffic entering and leaving a workstation.
- Attach a camera or other sensor payload and use as an over-the-internet video bug.

Again, much of this has been possible for a while, but form factor is everything. Also, I haven’t seen people talking about the possibility of bridging multiple available wireless networks together for attack obfuscation and to avoid connecting through a company’s edge network. I don’t think companies pay enough attention to passive physical monitoring and intrusion threats like this, especially given the insecurity of wireless encryption standards. What do you think?

[Andrew Cantino's Blog]

HBGary Federal CEO Aaron Barr steps down

Embattled CEO Aaron Barr says he is stepping down from his post at HBGary Federal to allow the company to move on after an embarassing data breach.

The announcement comes three weeks after Barr became the target of a coordinated attack by members of the online mischief making group Anonymous, which hacked into HBGary Federal's computer network and published tens of thousands of company e-mail messages on the Internet. HBGary did not respond to telephone and e-mail requests for comments on Barr's resignation.

In an interview with Threatpost, Barr said that he is stepping down to allow himself and the company he ran to move on in the wake of the high profile hack.

“I need to focus on taking care of my family and rebuilding my reputation," Barr said in a phone interview. "It’s been a challenge to do that and run a company. And, given that I’ve been the focus of much of bad press, I hope that, by leaving, HBGary and HBGary Federal can get away from some of that. I’m confident they’ll be able to weather this storm.”

The group conducted a preemptive strike on HBGary after Barr was quoted in a published article saying that he had identified the leadership of the group and planned to disclose their identities at the B-Sides Security Conference in San Francisco.

By combining a SQL injection attack on HBGary's Web site with sophisticated social engineering attacks, the group gained access to the company's Web- and e-mail servers as well as the Rootkit.com Web site, a site also launched by HBGary founder Greg Hoaglund. Ultimately, the group defaced HBGary's Web site and disgorged the full contents of e-mail accounts belonging to Barr, Hoglund and other company executives.

Though Barr and HBGary were the victims of the hack, the contents of the e-mail messages divulged plans that cast both in an unflattering light. Among them were data mining efforts and mentions of possible disinformation campaigns on behalf of a "large U.S. bank" and the law firm that represents the U.S. Chamber of Commerce that seem to run afoul of civil liberties and professional ethics.

HBGary counted many U.S. government agencies, including the Department of Defense, CIA and NSA as customers. The disclosure of e-mail messages from the company poses a major security risk to those organizations, as well as individuals who had corresponded with the firm.  The breach also raises troubling questions about the direction that HBGary and other Beltway firms have taken. Email exchanges published online revealed the firm to be at work on a variety of plans to do data mining and information operations on U.S. organizations and journalists on behalf of clients including law firms representing a large U.S. bank and the U.S. Chamber of Commerce. Most recently, the incident spilled into the mainstream, with comedian Stephen Colbert devoting a segment of his Colbert Report program on February 24 to the HBGary hack.

[ThreatPost]

Storm Clouds: Gmail failure reinforces danger of becoming too Cloud-dependent

Surely by now you’ve heard of the problems people have been having with their Gmail accounts. E-mails have been deleted, accounts have been disabled, and while Google has been hard at work trying to make everything right, it’s just another example of why moving your entire life to the cloud may not always be the best idea.

Google says that the glitch, which first popped up at the weekend, has only affected a small percentage of the Gmail userbase. Initial estimates hovered around less than 0.29 percent of all Gmail users, but that number has since been revised down to less than 0.08 percent of all Gmail users.

It’s fair to say that calling the glitch “widespread” probably wouldn’t be entirely accurate.

But that doesn’t mean we can’t use this episode as a “teachable moment,” a time to reflect on the wisdom of moving so much of our data to the cloud.

The cloud, Conan? Odds are you use the cloud several times per day. Do you use an e-mail service like Gmail? That’s the cloud. Ever stream music from Spotify or Rdio? That’s the cloud. Watch Netflix streams before going to bed? Yup, that’s the cloud.

Any time you’re tapping into data that’s hosted somewhere else you’re tapping into the cloud.
Contrast these examples with your giant collection of MP3s or Blu-ray discs. If, for whatever reason, Spotify’s servers go down you won’t be able to listen to “I Need A Doctor.” Good thing you have a MP3 stored locally, right? And what happens when one of Netflix’s servers keels over? Guess you can’t watch whatever. But wait! That’s why you have a collection of shiny plastic discs, either of the Blu-ray or DVD variety.

The cloud extends beyond mere entertainment. Online stores like Steam and the new Mac App Store are all on the cloud. Steam sales are great until you try to download Fallout: New Vegas during one of them. At the point it’s probably quicker to hop in the car, drive over to the only store in the county that still stocks PC games, then come home and install it the old fashioned way.

That, of course, is provided the Steam servers can stay online. Same thing with the Mac App Store. Apple can’t well “kill” the shiny plastic disc if it can’t figure out how to hand out a few download codes.
That such a small number of people have experienced glitches with their Gmail accounts doesn’t mean everybody should panic. That would be silly. But it does mean that perhaps people should think twice before they trash their Blu-ray collection in favor of something like Netflix, or before they entrust all of their personal data to a anonymous server stored in North Carolina that you have zero control over.
Be careful, is all.

[CrunchGear]

We are living on strange "Cyberwar times"

In the after-crisis of the Stuxnet worm, Governments around the world are mobilizing to be better prepared against CyberThreats and CyberWar.

It's becoming clear, more and more that groups pf individuals with a lot of knowledge, time and motivation can do harm against economies, healthcare, utilities and other systems, being responsible (who knows?) for the collapse of a country.

We already had, in the past, cases of well succeeded CyberAttacks that collapsed a country information structure and paralyzed it for a while. We can remember of:

• 2007 CyberAttakcs on Estonia
• 2007 CyberAttacks against Syria Radar Infrastructure
• 2008 CyberAttacks on Georgia
• 2010 Stuxnet Worm

Based on this kind of attack, in 2009, President Barack Obama declared America’s digital infrastructure to be a "strategic national asset," and in May 2010 the Pentagon set up its new U.S. Cyber Command.
Other governments are doing the same.

We can predict "or guess" that soon or later, Telecommunication and utilities companies will have military network devices tapped or deployed in-line in their network being monitored and managed by military personal that in case of a threat will analyze, mitigate, block or even shutdown traffic.

It's kind on natural to me. Internet is evolving. Security is at the top of many people agendas.

Deploy additional protection for strategic points is an smart course of action.

The question is:

How far we would go in to the "hobbit hole"?. Will these systems be used only for defense?

Can countries like Egypt use those "defense technologies" to shut down the voice of people like they did days ago?

I hope not.

But we should keep an eye on it.

Just in case.

By the way, Egypt shut down their DNS Servers and stopped advertising BGP routes. The basic stuff, they did not used any "out of this world technology" like our press stated on some news.

[ISC2]

Play.com customers at risk from phishing

Play.com, one of the biggest UK online retailers, has its share of scammers that try to lure users searching for a bargain and scam them out of their hard earned money.

Play - which is very much like Amazon and eBay and has the same option of rating sellers - is able to identify and push out scammy sellers only after they receive a bevy of lousy ratings for failing to deliver the goods.

But its not the £2 DVDs that earn the scammers enough money to make their efforts worth while. What usually happens is that the buyer receives an e-mail similar to this:



With "Problem with payment/order" in the subject line, the scammers try to trick users into sending them personal and credit card information that will allow them to steal more money from the buyers or sell that information to other crooks.

According to GFI, this particular letter tries to convince the user to fill out "the following secure form" by clicking on the reply button and filling in the black spaces. But what should immediately strike the potential victim as suspicious is the fact that there is no actual form to fill out, and that the sending of the details in plain text format cannot actually be secure if sent via e-mail.

Of course, some users are not aware of any of these things, and some might not be sure about their scam detection skills. That's why it is always a good idea to pick up the phone, find and directly dial the service's number (never the one offered in the e-mail) and ask them for advice.


[net-security]

Cybercrime: Why it's the new growth industry

PCWorld reported earlier this month that in a struggling economy, one industry that has shown double digit growth year after year is, like many other high growth industries, an illicit one - in this case, cybercrime.

There was a time, as recently as the 1990s, when most of those who hacked into systems illegally or launched attacks on networks or websites were tech savvy males in their teens or twenties. They did it for fun, for the challenge, as a learning experience, and/or to prove to their buddies that they could.

Today’s cybercriminals tend to be older, shrewder, and more often motivated by money. And they don’t even need to be talented coders to make big profits. As the Panda Labs report referenced in this recent MSNBC.com article notes, anyone can buy (or download for free) malicious software that can be used to make big bucks stealing credit card numbers and other personal information.

Consequently, the cost of cybercrime — to individuals, corporations, governments and society in general — continues to climb. According to a study by Britain’s Office of Cyber Security and Information Assurance, the total cost to the British economy is 27 billion pounds (or $43.5 billion U.S.D.) per year, with most of that being shouldered by business.

Evolving trends

As cybercrime has become more profit-driven, its “business model” has evolved and new types of criminal activities (as well as new twists on the old types) have emerged. According to a recent report by Steve Wexler over at NetworkComputing.com, Cisco’s market intelligence manager identified one significant change as “a shift away from Windows-based PCs to other operating systems and platforms, including smart phones, tablet computers and mobile platforms in general.” This fits right in with the findings of other companies. Trend Micro, for instance, predicted that the growing use of mobile devices would help make 2011 a very profitable year for cybercriminals.

It makes sense, of course. The increasing popularity of smart phones and tablets means more and more people are carrying miniature computers with them everywhere they go, and using them for more of their daily tasks - including financial transactions. Yet, many people who wouldn’t think of running their desktop PCs without antivirus and anti-malware software neglect to protect their phones and tablets in a similar manner, despite the fact that there are many mobile security products now available for all the popular platforms.

McAfee’s Fourth Quarter 2010 Threats Report said mobile malware increased by 46 percent from 2009 to 2010, with such threats as the SymbOS/Zitmo.A and Android/Geinimi Trojan.

Many of the new mobile threats are aimed at accessing personal information such as banking or credit card data to be used for highly profitable identity theft schemes. And because so many mobile devices (even “semi-smart” phones) now have access to the web, the incidence of web browser-based threats is also increasing. Those mobile devices are also frequently being used to access social networking services such as Facebook, so we can expect attacks targeting those sites to become a growing problem.

Convenience vs. security

It’s long been an accepted truism that security and convenience tend to sit on opposite ends of a continuum, and in most cases, the more you have of one, the less you have of the other. One reason for the popularity of new mobile platforms is the convenience and ease of use that they offer. Downloading and installing an app to your phone or tablet, for instance, is generally a simpler matter than installing a new program on your computer. On the computer, you would probably have to click through one or more security warnings and confirm that yes, you really want to install this program, then walk through a wizard where you might select various configuration options. On the mobile device, you touch a couple of buttons and your app is installed and ready to go.

But what do you sacrifice in security for this convenience? A Sophos researcher recently held that the Android Market’s instant-download feature presents a serious security threat, due to the “background” nature of the app installation process. An attacker who gains access to your Google password could even install software on your phone without you being aware of it.

How bad can it get?

An article published a few months ago in the Economic Times of India paints a dire picture, predicting that in 2011, viruses will become more like the ones in sci-fi movies, with attacks on critical infrastructure and industrial establishments, along with increasing incidence of cyber-espionage. In fact, a number of security analysts have warned that cybercriminals are likely to become more organized, with new groups forming and existing groups joining together to create more serious attacks, perhaps even escalating to the level of cyberterrorism and/or cyberwarfare.

This is the type of scenario that seems like something out of a fiction novel. And Mark Russinovich, co-founder of Winternals Software and well-known technical fellow at Microsoft, has just published his first novel, Zero Day, that deals with that very plotline. Unlike many previous technothrillers, this is coming from someone who is intimately familiar with how computers and networks work and what really is or isn’t possible - and that makes it all the scarier.

Fiction aside, the U.S. government takes the threat of cyberterrorism, which could be considered the ultimate form of cybercrime, very seriously. The Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) fund programs such as that of the Cyberterrorism Defense Analysis Center (CDAC).

On the international front, NATO’s Cyber Defence Policy Advisor last month made headlines with the statement that the line between cybercrime and cyberwarfare is “very thin,” noting that the same attack methods that are used to target individuals and businesses can also be used for military purposes.

The impact of the cloud

As more organizations consider entrusting some or all of their IT functions to public cloud providers, this raises the question of how cloud computing trends will impact cybercrime. Last summer, George Chang of Fortinet wrote that “cloud computing sets a perfect scene for the acts of cyber criminals.” Certainly, concentrating huge amounts of data in a centralized location - whether a corporate datacenter or the datacenter of a cloud provider - gives criminals a bigger target, and everyone knows that the bigger the target is, the easier it is to hit it. Indeed, surveys have shown security concerns to be one of the biggest obstacles to adoption of cloud computing, although a plethora of security product vendors are rushing to fill that gap, and at this year’s RSA Conference, RSA head Art Coviello said solutions already exist, through virtualization.

And just as cloud technologies can be used by cybercriminals to their advantage, cloud based fraud detection can also be used against them. By collecting and sharing information about millions of devices across the world, these cloud services can pick up on patterns of criminal activity that wouldn’t otherwise be obvious, as ThreatMetrix CEO Reed Taussig pointed out in a recent interview with Sue Marquette Poremba for IT Business Edge.

A perfect trifecta

It’s a basic tenet in criminal justice theory that in order to commit a crime, a criminal must have the motive, the means and the opportunity. Today’s cybercriminals have a compelling motive: the ability to make big money, with far less risk than is involved in committing the same types of crime in the “real world.” They have the means, thanks to readily available malware packages they can download for a fee or for free, so that they don’t even need to possess the technical skills themselves. And the opportunity is there and growing all the time, with more people conducting more transactions - both business and personal - online, using new technologies such as mobile devices and cloud computing that in many cases, haven’t yet matured in terms of security and protective mechanisms.

Despite governmental efforts to crack down on cybercrime, laws haven’t yet completely caught up with the technology, and it’s still dauntingly difficult to enforce the laws we do have because of jurisdictional and other issues that I discussed last month. That means those considering a career as cybercriminals could be looking at a much more positive outlook than those of us engaged in legitimate work.

What can be done about it?

It was just reported that the U.K. is planning to spend 63 million pounds (to be taken from a 650 million pound cyber security fund) to build up its resources for fighting cybercrime.

In the U.S., congressional legislators have expressed concern that the recent attempts to hack the NASDAQ stock exchange may raise questions about the Security and Exchange Commission’s ability to protect against cybercriminal activities directed at the stock market.

The U.S. government is also planning a diplomatic effort to convince more countries to join in cybercrime investigations, since international cooperation is really the key to being able to enforce cybercrime laws when so many online criminals are based overseas.

It’s not just government agencies that are trying to do something about it. Large companies such as Microsoft, with its Digital Crimes Unit (DCU), are also investing their resources in efforts aimed at tracking down and prosecuting cybercriminals.

Meanwhile, a number of leading technology companies, including Microsoft, Cisco, IBM and Boeing, have teamed up with NASA and the U.S. Department of Defense to develop international standards for making IT equipment more secure.

And despite the difficulties, there have been a number of important successes in the battle against cybercrime in the past year. Some high profile arrests included members of the Zeus Trojan gang and the mastermind behind the Mega-D Trojan, as well as the shutdown of the Mariposa botnet.

[TechRepublic]

There's no money back if your account is drained by malware

Commentary - Phishing attacks on small and medium-sized businesses are on the rise with thousands of organizations falling victim. If a cybercriminal gets on to a computer with access to your business' financial accounts they can withdraw funds and your business is out of the money. That's it. Gone. See ya. Have a nice day.

Unlike consumer accounts that are subject to Federal Reserve Regulations E which require banks to provide reimbursement for certain losses, business accounts are not covered by this statute and therefore not assured repayment for certain losses. So don't bank on getting your money back.

And it's not just big business being targeted any longer. According to the FBI, cybercriminals now have their sights set on the financial accounts of small and medium-sized businesses, leading to significant disruption and substantial monetary loss due to fraudulent transfers from these accounts.

Online job postings could cost you more than you planned
Just last month, the FBI reported that cybercriminals had stolen more than $150,000 from a US business via an unauthorized wire transfer resulting from a malware infected email. In the latest phishing scams cyberthieves are embedding malware in email responses to job postings placed on employment websites with the aim of obtaining the credentials of an employee authorized to conduct financial transactions within the company. They then easily can change account settings to send wire transfers -- which is just what they did in the latest attack reported by the FBI. In its "New E-Scams & Warnings" the FBI identified the malware as a Bredolab variant, svrwsc.exe, which is a malware connected to the ZeuS/Zbot Trojan and commonly used by cybercriminals to defraud US businesses.

If the cybercriminal can get a company employee to open an infected attachment or click on a link that contains hidden malware they are in the door. The malware logs the key strokes and allows the thief to "see" and track the employee's activities across the business' internal network and on the Internet - be it visits to a financial institution, and/or online banking credentials. Using this information the thief can and does conduct unauthorized transactions that appear to be legitimate.

What you don't know can cost you
While you read about the latest malware or Trojan what you may not be hearing about are the financial losses that are hitting local businesses - like the NY marketing firm Little & King, LLC that reportedly faced bankruptcy last year, but apparently recovered, after $164,000 was drained from its account.
While privacy laws may require a business to notify its customers of a database breach, a business checking account that gets robbed in cyberspace, does not necessarily require notification. After all it is the cash of the business and not directly associated with customers. So the local business gets robbed, their money wired to who knows where -- lost and never to be recovered -- and no one outside the business is the wiser.

This is an issue for the FBI which is hamstrung to deal with the matter because the money moves offshore without a trace as increments of less than $10,000 are not reported.

And with more small to medium-sized businesses conducting online banking and with employees using the same computer they surf the net to check or store business financial information things look set to only increase.

And if you assume that the credit card protection policies apply to your business checking account, they do not. This problem is ugly for the banks because the money is withdrawn from them but with your credentials captured by the key-logger, so they avoid the liability.

This could change, but so far has not.

So what can you do?


1. Mind the cookie jar, because no one else is. Protect your business' computers that have access to financial accounts or information. After all, in addition to protecting your customers' privacy, without money to fund your business you have no business.

2. Know your bank's policy on fraudulent business wire transfers before you are hit.

3. Don't rely on traditional reactive anti-virus solutions as they clearly are not enough. Once you've been hit there is no turning back.

4. Implement proactive technologies like application whitelisting which stops these attacks.

5. Enforce business policies, if possible, to only allow dedicated computers access to financial accounts (although for the small to medium-sized business entrepreneur on the go this is often impractical).

6. Insist that your endpoint protection vendor deal with the problem. Symantec and McAfee are making billions on your annual subscription payments, but are not providing protection from these threats. As a business you may be required to use these anti-virus vendors for PCI DSS and other regulations and standards. They must be laughing all the way to their bank.

While many businesses have spent the past few years achieving compliance, overall small to medium-sized businesses have lost ground in keeping up with the evolving malware and endpoint security threats. If something isn't done quickly your business may not only lose business you may lose the business. You can take that to the bank.

biography
Paul Paget is CEO of Savant Protection, an application whitelisting provider for SMEs and MSPs. Based in Hudson, NH, Savant Protection's automated application whitelisting is being used by SMEs, including regional banks, credit unions and local governments, as well as MSPs to proactively and easily stop malware and safeguard endpoints. You can contact Paul at Paul.Paget@SavantProtection.com.


[ZDNet]

Researchers spot new Mac OS X malware

Security researchers from Sophos have spotted a new piece of malware targeting Mac OS X users.

According to the company, the BlackHole RAT release is still under development, and appears to be using the source code of a popular Windows trojan horse known as darkComet.

The screen lock feature reads:

Hello I’m the BlackHole Remote Administration Tool. I’m a trojan horse, so I have infected your Mac Computer. I know, most people think that Macs can’t be infected, but look, you ARE infected! I have full controll over your Computer and I can do everything I want, and you can do nothing to prevent it. So, Im a very new virus, under Development, so there will be much more functions when I’m finished. But for now, it’s okay what I can do. To show you what I can do, I will reboot your Computer after you have clicked the Button right down.

Open source malware is an inseparable part of the cybercrime ecosystem, allowing novice cybercriminals to quickly catch up with that used to be sophisticated propagation tactics, a few years ago.

With open source malware now every day’s reality, it shouldn’t be surprising the the growth of malware is reaching such epic proportions of the overall picture. Although rate, malware releases for Mac OS X are only going to get more popular with the time, given the under served market segment, combined with the countless number of malware coders.

The company emphasizes the fact the BlackHole RAT isn’t spreading in the wild, and urges users to exercise extra caution when downloading freeware applications, or even worse, pirated releases. A short clip showing the trojan horse in action can be seen here.

[ZDNet]

New type of financial malware hijacks online banking sessions

A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens.

OddJob, which is the name Trusteer gave to this Trojan, keeps sessions open after customers think they have "logged off", enabling criminals to extract money and commit fraud unnoticed.





This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.

Trusteer have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed.

Trusteer's research team has reverse engineered and dissected OddJob's code methodology, right down to the banks it targets and its attack methods. Financial institutions have been warned that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark.

The most interesting aspect of this malware is that it appears to be a work in progress, as we have seen differences in hooked functions in recent days and weeks, as well as the way the Command & Control (C&C) protocols operate.

These functions and protocols will continue to evolve in the near future, and that our analysis of the malware's functionality may not be 100 per cent complete as the code writers continue to refine it.

OddJob's most obvious characteristic is that it is designed to intercept user communications through the browser. It uses this ability to steal/inject information and terminate user sessions inside Internet Explorer and Firefox.

OddJob’s configuration data shows that it is capable of performing different actions on targeted Web sites, depending on its configuration. The code is capable of logging GET and POST requests, grabbing full pages, terminating connections and injecting data into Web pages.

All logged requests/grabbed pages are sent to the C&C server in real time, allowing fraudsters to perform session hijacks, also in real time, but hidden from the legitimate user of the online bank account.

By tapping the session ID token - which banks use to identify a user's online banking session - the fraudsters can electronically impersonate the legitimate user and complete a range of banking operations.

The most important difference from conventional hacking is that the fraudsters do not need to log into the online banking computers - they simply ride on the existing and authenticated session, much as a child might slip in unnoticed through a turnstile at a sports event, train station, etc.

Another interesting feature of OddJob, which makes it stand out from the malware crowd, is its ability to bypass the logout request of a user to terminate their online session.

Because the interception and termination is carried out in the background, the legitimate user thinks they have logged out, when in fact the fraudsters remain connected, allowing them to maximise the profit potential of their fraudulent activities.

All matching is case-insensitive, and, using this process of pattern matching, fraudsters using OddJob are able to cherry pick the sessions and targets they swindle to their best advantage.

The final noteworthy aspect of OddJob is that the malware's configuration is not saved to disk - a process that could trigger a security analysis application – instead; a fresh copy of the configuration is fetched from the C&C server each time a new browser session is opened.

[net-security]

New types of cookies raise online privacy concerns

The advertising industry has led the drive for new, persistent and powerful cookies, with privacy-invasive features for marketing practices and profiling.

The EU cyber security Agency ENISA advocates that both the user browser and the origin server must assist informed consent, and that users should be able to easily manage their cookies.

A new ENISA paper identifies and analyzes cookies in terms of security vulnerabilities and the relevant privacy concerns.

The new type of cookies support user-identification in a persistent manner and do not have enough transparency of how they are being used. Therefore, their security and privacy implications are not easily quantifiable. To mitigate the privacy implications, the Agency recommends, among other things, that:

• Informed consent should guide the design of systems using cookies, the use of cookies and the data stored in cookies should be transparent for users.
• Users should be able to easily manage cookies: in particular new cookie types. As such, all cookies should have user-friendly removal mechanisms which are easy to understand and use by any user.
• Storage of cookies outside browser control should be limited or prohibited.
• Users should be provided with another service channel if they do not accept cookies.

The Executive Director of ENISA, Prof. Udo Helmbrecht underlines: "Much work is needed to make these next-generation cookies as transparent and user-controlled as regular HTTP cookies, to safeguard the privacy and security aspects of consumers and business alike." 

[net-security]

Five best browser security extensions

You share and access some of your most sensitive data through your web browser, so it doesn't hurt to add a little extra security to your browsing session. Here's a look at five of the best, most popular security extensions out there.

AdBlock Plus (Firefox/Chrome)
AdBlock, as its name would imply, blocks certain scripts serving advertisements on a website. But instead of more general script-blocking, like NoScript (below), ABP focuses on blocking just advertisements. As we've mentioned before, you can tweak ABP for added security benefit by using a "malicious ad" blocklist. You can, of course, whitelist sites you want to support (ahem), but ABP also provides the more obvious aesthetic benefit of a web less cluttered with ads.

---

HTTPS Everywhere (Firefox)

HTTPS Everywhere from the Electronic Freedom Foundation will help you to secure the connection between your browser and the servers it is connecting to. It helps to encrypt your connection when possible, even when the default setting on the web site does not offer the added security. A good example is Twitter. The username and password input boxes are encrypted, but after that all text coming to or from the server is sent in the clear. (Very recently, Facebook added an option to always turn on HTTPS. Here's how to do that.) HTTPS Everywhere even helps to protect against hacking tools such as Firesheep.

---

LastPass (All Platforms)

LastPass secures another vector that hackers can use to try to gain access to your personal information - your password. When you use the LastPass browser plugin, it stores your password, encrypted, for you and also allows you to easily generate a complicated and hard-to-crack password that is unique to a site. LastPass has plugins available for every browser under the sun. If you're just getting started with LastPass, here's our introduction to LastPass, our intermediate guide, and a guide to auditing and updating your passwords with LastPass.

---

NoScript (Firefox)

NoScript is a Firefox-only plugin that does one thing and does one thing well—it blocks scripts such as JavaScript, Flash, Quicktime, and more from loading in your browser window. (Chrome users may want to check out the similar Chrome extension, NotScripts.) The reason it works so well for security purposes is that malicious web sites can use these scripts as attack vectors in order to cause a browser crash and to gain access to your computer. By blocking these scripts you can make yourself significantly safer on the web.
Keep in mind that for most of us, blocking all scripts would result in a fairly broken internet, given that many websites, such as Google, Gmail, Twitter, Lifehacker and others rely on JavaScript to load their pages. NoScript allows you to block 3rd-party scripts or even just from unsafe domains. You can manage these settings in detail, giving you the maximum security with minimum inconvenience.

---

Web of Trust (All Browsers)

Web of Trust is another plugin that does something different than the above. Instead of halting any attack vectors, it lets you know when the website you are visiting is trustworthy or not. That way if you happen across a website that you think is trustworthy and even looks it, you get a warning that you should not submit your personal information to the site.
They rely on user-ratings to rate their site and in my experience it has been very accurate and useful.

---

Supplemental Reading
We recently highlighted a few easy steps for securing your online life, some of which employ a few extensions here. For an even more secure browsing experience, here's how to encrypt your entire browsing session.

[Lifehacker]

DIY: Free tools for removing malicious software

Fighting the malware battle really hurts when you’re spending a good deal of your IT budget (if you even have an IT budget) on software to protect machines from attacks. Here’s how to do it for free.

Malicious software (be they viruses, rootkits, trojans, worms, or malware) are so prevalent it seems one of the primary jobs for IT is the protecting, cleaning, and removing of said software. It seems no matter how hard you try, or how much you pay for the software you use to protect your desktops, it always seems like a losing battle. Fighting that losing battle really hurts when you are spending a good deal of your IT budget (if you even have an IT budget) on software to protect machines from attacks.

It doesn’t have to be that way. I have found plenty of tools that can help in the quest to have a virus/malware-free environment. These tools can be either installed on your machines or used as a toolkit to carry with you to fight the good fight. You won’t find enterprise-grade tools here. What you will find are tools I have found to do the best job at keeping my systems clean.

Combofix

Combofix is my first line of defense tool when I suspect something has taken over a machine. But you shouldn’t just run this powerful tool without a few considerations. First, and foremost, what will Combofix fix? After a successful run of Combofix, you should have cleaned (if applicable): Malware, Rootkits, Trojans, Worms, and Viruses. What you need to know about Combofix, prior to running is quite important. The single most important issue with Combofix is that you can not run it with an antivirus tool enabled. With some antivirus solutions you can simple disable the tool (Symantec Endpoint Protection is a perfect example). One particular antivirus solution, AVG, I have found to require complete removal before running Combofix. And to be on the safe side, I prefer to run Combofix with the computer in safe mode. One other note: Never download Combofix from any other site than Bleeping Computer or ForoSpyware.

CCleaner

Antoher free tool, CCleaner does two things incredibly well: Cleans the Windows registry and removes cached web data. There are a lot of registry cleaners available, but CCleaner is the one I always trust. As with any tool, you want to make sure you understand the tool before using. And although cleaning cached browser data is fairly harmless, cleaning the registry is not. I highly recommend always doing a backup of the registry when using CCleaner to take care of this task. Fortunately CCleaner has a built-in tool for backing up said registry.

Microsoft Security Essentials

After using so many different anti-virus tools, the one tool that seems to work nearly as well as any other, without any attached cost, is Microsoft Security Essentials. Not only will thise anti-virus tool work well to help prevent infection, it does so with as little drain on the system as nearly any anti-virus tool.

Malwarebytes

People are always surprised to find out they need anti-spyware as well as anti-virus protection. Of the anti-malware tools I have used, Malwarebytes seems to be the most effective. Now there are two different versions of Malwarebytes: Free and Paid. The biggest difference is the Paid version has a real-time scanner built in. The free version must be run manually. This is not a problem if you are in control of all the PC scanning, or you can trust your users to manually run the software nightly (as well as manually update the definitions often.) If you can not trust your users to run this piece of software, you might need to buckle down and drop the $24.95 for the licensed version.

Clonezilla

Clonezilla is a Free Open Source Software (FOSS) that allows you to bare metal backups and recoveries. There are two different versions available: Clonezilla Live or Clonezilla SE (Server Edition). As the name implies, Clonezilla Live is a small, bootable live Linux distribution that allows you to clone to do a single clone at a time. The Server Edition requires a DRBL server and allows you to do massive cloning. With the Server Edition you can do large, simultaneous restores quickly (instead of a single clone at a time.) Regardless of which tool you use, Clonezilla is a very reliable tool for bare metal backups and restores.

Hamachi

Although not a tool that will help you clean up your systems, Hamachi will allow you to add machines to a VPN without having the associated costs of a typical VPN. I have already covered this tool in my OpenSource post “Use Hamachi VPN on your Linux clients,” so I will let you use that as a basis for installation and use. If you’re curious how this can be used as an admin tool - you can always house your toolkit on a machine connected to Hamachi VPN and then access those tools from anywhere (so long as you can add Hamachi to the machine in question.)

Final thoughts

There are so many pieces of software available for the DIY user, which only means more trouble in discerning which ones are worth using. Hopefully the list above will help you narrow down the tools you need to keep around in your DIY toolkit.

[TechRepublic]            

10 common security mistakes that should never be made

Read about ten very basic, easily avoided security mistakes that should never be made — but are among the most common security mistakes people make.

---

The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.

1. Sending sensitive data in unencrypted email: Stop sending me passwords, PINs, and account data via unencrypted email. Please. I understand that a lot of customers are too stupid or lazy to use encryption, but I’m not. Even if you’re going to give them what they want, in the form of unencrypted sensitive data sent via email, that doesn’t mean you can’t give me what I want — secure communications when sending sensitive data.
2. Using “security” questions whose answers are easily discovered: Social security numbers, mothers’ maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. Requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do a little homework from gaining unauthorized access.
3. Imposing password restrictions that are too strict: The number of cases I’ve seen where some online interface to a system that offers the ability to manage one’s finances — such as banking Web sites — impose password restrictions that actually make the interface less secure is simply unacceptable. Six-character numeric passwords are dismayingly common, and the examples only go downhill from there. See a previous article, “How does bad password policy like this even happen?” for another example in more detail.
4. Letting vendors define “good security”: I’ve said before that there’s no such thing as a vendor you can trust. Hopefully you were listening. Ultimately, the only security a corporate vendor really cares about protecting is the security of its own profits and market share. While this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. As such, you must question a vendor’s definition of “good security”, and you must not let vendors tell you what’s important to you.
5. Underestimating required security expertise: People in positions of authority in corporations often fail to understand the necessity for specific security expertise. This applies not only to nontechnical managers, but to technical IT managers as well. In fact, standards working groups such as the one that produced the WEP standard often include a lot of very smart technologists, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
6. Underestimating the importance of review: Even those with security expertise specific to what they’re trying to accomplish should have their work checked by others with that expertise as well. Peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
7. Overestimating the importance of secrecy: Many security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. They justify a lack of peer review with hand-waving about how important it is to keep security policies secret. As Kerckoffs’ Principle — one of the most fundamental in security research — points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
8. Requiring easily forged identification: Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater — putting on a great show without actually providing the genuine article (security, in this case) at all. It is far too easy to forge such second-generation (or worse) low quality copies. In fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. Put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
9. Unnecessarily reinventing the wheel: Often, developers of new security software are recreating something that already exists without any good reason for doing so. Many software vendors suffer from Not Invented Here disease, and end up creating new software that doesn’t really do anything new or needed. That might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. Whenever creating a new piece of software, consider whether you’re replacing something else that already does that job, and whether your replacement actually does anything different that is important. Then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
10. Giving up the means of your security in exchange for a feeling of security: This is a mistake so absurd to make that I have difficulty formulating an explanation. It is also so common that there’s no way I can leave it out of the list. People give up the keys to their private security kingdoms to anyone who comes along and tells them, “Trust me, I’m an expert,” and they do it willingly, eagerly, often without thought. “Certificate Authorities” tell you who to trust, thus stripping you of your ability to make your own decisions about trust; Webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; operating systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. Don’t give up control of your security to some third party. Sure, you may not be able to develop a good security program or policy yourself, but that doesn’t mean the program or policy shouldn’t give you control over its operation on your behalf.

[TechRepublic]

Apple invites security experts to review Lion developer preview

CNET reports that Apple has sent notice to a few big-time security experts, including some folks who've attacked OS X security in the past, to check out the developer preview of OS X Lion. "As you have reported Mac OS X security issues in the past," the letter reportedly tells the researchers, "I thought that you might be interested in taking a look at this. It contains several improvements in the area of security countermeasures."

Note that this isn't actual consulting on the part of these researchers, though they are getting a preview copy of the OS for free. Dino Dai Zovi is one of the experts that Apple invited to check out the system, and he lauds the move on Twitter, stating that it "looks to be a step in the direction of opening up a bit and inviting more dialogue with external researchers."

Good for Apple, in that case. Hopefully the outcome of all of this is a more secure operating system, and we can all appreciate that for sure.

[AppleInsider] via [TUAW]

Security concerns over new Thunderbolt I/O technology

The Thunderbolt Logo

Security experts are casting a critical eye over Intel's new Thunderbolt high-speed interface, which is first scheduled to become commercially available with Apple's new MacBook Pro. The experts say the interface offers insufficient protection against potentially malicious devices.

Unlike such technologies as USB, Thunderbolt doesn't use a master/slave concept in which the PC controls communication. Rather, the new technology's concept is similar to that of Firewire, where a connected device can access a PC's working memory, for instance via DMA. Researchers such as those working in forensics have for some time taken advantage of this to create memory maps of the PCs they investigate. Vendor HBGary, for example, who was recently compromised by Anonymous, provided the US authorities with a framework that allows spyware to be injected into an unprotected but locked notebook via the Firewire port.

It appears that similar possibilities exist with Thunderbolt; for instance, the technology doesn't seem to include any device authentication. "The current Thunderbolt simply sends PCIe signals across the wire. That means, in theory, anything a PCIe card can do, a Thunderbolt device can do", warns Robert Graham from Errata Security.

As a potential attack scenario, Graham describes a conference presenter who connects his notebook to a projector via DisplayPort, which is supported by Thunderbolt. Unbeknown to the presenter, the projector could then secretly copy the entire contents of the notebook's hard disk in the background, said Graham. While this could, in principle, be prevented by such virtualisation technologies as Intel's Virtualisation Technology for Directed I/O (VT-d), the related technologies must actively be supported by the hardware as well as by the operating system and its drivers – which Graham said wasn't the case in Mac OS X when he last checked.

As no actual devices are available yet, criticisms are currently still rather vague. Furthermore, one mustn't forget that similar problems already exist with such ports as ExpressCard and SD/IO. Should Thunderbolt become as popular as USB, the issue could no longer be ignored. There is still time though; most projectors at conferences don't even offer DVI or HDMI connectors yet and still rely on VGA ports.

[h-online]

The Computer Attacks You've Never Heard Of

CyberDefender Research Labs — We've all heard of worms, Trojan horses, phishing, and other common computer security attacks that aims to infect your system and steal your data. But what about bluebugging, smishing, and scareware? Brush up on your computer security terminology with these lesser-known attackers.


Malware is serious business. It can slow PCs down to a crawl. On the other hand, some of the terms security researchers have decided to name these sometimes annoying (and often damaging) pieces of code are downright charming.

Here are nine that stand out, followed by seven most people have heard of:

The Security Attacks Most People Have Never Heard Of

Smishing: Smishing or "SMS phishing" refers to a phishing attack that specifically targets mobile phones. The victim would receive an SMS with a hyperlink wherein a malware automatically finds its way in your phone or leads the user to a phishing site formatted for mobile screens. The term was brought on by David Rayhawk in a McAfee Avert Labs blog.

Botnet (Zombie PCs): A portmanteau of the words "Robot" and "Network," a Botnet is any number of internet computers that inconspicuous to their owners; forward e-mails (any of which include spam, malware, or viruses) to other computers on the internet. These infected computers are also known as "zombies". DoS attacks (Denial of Service) often rely on thousands of zombie PCs.

BlueBugging: A craze originally jumpstarted by a Malaysian IT Professional, bluebugging (not to be confused with bluesnarfing) allows a more skilled person to illegally access a cellular phone via Bluetooth wireless technology. This act often times goes unnoticed without any proper notification or alerting to the phone's user. A vulnerability such as this allows phone calls, SMS messages to be read and sent, phonebook contacts to be erased, phone conversations to be tapped, and other malicious activities. But much to the hacker's dismay [I think the hacker knows the limitations… perhaps the point is that widespread impact is minimized because of the range…], access is only attainable within a 10 meter range of the phone.

Pod Slurping: Coined by US security expert Abe Usher; Pod Slurping is when your iPod or any portable USB storage device begins to surreptitiously copy large amounts of files from your computer to its hard drive, it's engaged in something called "Pod Slurping". Pod slurping is becoming an increasing security risk to companies and government agencies. Typically, access is gained while the computer is unattended, and this process can occur in as little as 65 seconds.

Ransomware: A program that makes a computer near unusable then demands payment in order for the user to regain full access. It "kidnaps" the computer! Ransomware is also commonly referred to as a "cryptovirus" or "cryptotrojan." Examples of Ransomware include Gpcode.AK, Krotten, and Archiveus. Ransomware was originally a with a trojan called PC Cyborg, created by a Dr. Joseph Popp.

Scareware: Scareware is software that tricks people into downloading or purchasing it, under the guise of fixing their computer, when in reality the faux anti-virus program is the real problem. Scareware programs often run a fictitious or careless system scan, and then present the user with a list of malicious programs that must be corrected, always leaving itself off of the list. The scareware then informs that in order to fix these "problems" it will require the user to pay a fee for a "full" or "registered" version of the software. Examples of scareware include: System Security, Anti-Virus 2010, and Registry Cleaner XP.

Sidejacking: Sidejacking is a hacking technique used to gain access to your website specific accounts. Websites typically encrypt your password so it cannot be stolen, but then send you an unencrypted "session-id". The session-id is either some random data in the URL, or more often, random data in a HTTP cookie. A hacker who finds the session-id can then use it to gain access to the respective account. Thus enabling the hacker ability to read your email, look at what you've bought online, or control your social network account, and so on. Robert Graham, who pulled together a variety of known and new vulnerabilities and packaged them into an automated session snatcher, was responsible for this term.

Black Hat: "Black Hat" hackers are those people who specialize in unauthorized breaching of information systems, often times attacking those containing sensitive information. They may use computers to attack systems for profit, for fun, or for political motivations. Attacks often involve modification and/or destruction of data which is done without authorization. They also may distribute computer viruses, internet Worms and deliver spam through the use of botnets.

White Hat: A "White Hat" hacker describes an individual who identifies a security weakness in a computer system or network but, instead of maliciously taking advantage of it, exposes the weakness, and repairs the vulnerability protecting the network from unwarranted intrusions or attacks. The term is taken from old western films, where the white hat cowboy is portrayed as the hero, and the black hat as the villain.

The Attacks Everyone Sort of Understands

Worm: Originating in a Xerox Palo Alto Research Center 1979 by engineers, a "Computer Worm" was originally designed to make programs run more efficiently, then later corrupted to be a destructive computer virus that can alter or erase data on computers. Often times, they leave files irretrievably corrupted or slow the PC down to a crawl.

Trojan Horse: A long time and common infection found amongst even the newest of computers, this destructive program disguises itself as a harmless application. Although Trojans are incapable of self-replication, they are still just as destructive as a computer virus. In an act similar to its Greek origin, often times a Trojan horse opens up a backdoor to your computer enabling potential viral infections and allowing hackers to control the PC. Origins trace back to MIT hacker turned NSA spook, Dan Edwards.

Phishing: Originated by hackers who were stealing America On Line accounts by scamming passwords from unsuspecting users, "phishing" is the age-old crime of taking ownership of sensitive information from third parties (phishing scam victims). Information includes usernames, passwords, banking information, and credit card numbers. This is typically accomplished from sending someone an e-mail fraudulently claiming to be a legitimate company, or redirecting someone to a website that looks legitimate but isn't. More often than not, the direct result of being phished is your identity being stolen.

Script Kiddies: A term originated by Marcus Ranum to describe white hats who had no idea what they were doing, a script kiddy (sometimes plural as kiddies) is a derogative term, used by more skilled hackers of computer security systems, to describe young or less experienced hackers who still can be just as much a threat or annoyance. Utilizing cheap techniques, pre-written scripts and sometimes with assistance, the average script kiddy can exploit a weakness with computer networks. The difference is that these untrained hackers are often unaware of the potential consequences of their actions.

Keylogging: Originally designed by Perry Kivolowitz for a Usenet news group in 1983, Keylogging for the most part has become increasingly common, not to mention dangerous. It involves the recording of any keyboard input via internet connection. Not every instance of keylogging is necessarily illegal. It's sometimes done as a way to monitor teens and children.

Social Engineering: Brought into common knowledge by Kevin Mitnick (a hacker popular back in the day), Social Engineering involves obtaining or attempting to obtain private data by illegally persuading an individual to reveal otherwise secure information. The Information released by victims is often then used to attack a computer network. One common example would be when an employee at a large company is convinced to give out his employee identification, and then it is manipulated to gain further access to the said company's network, often sensitive information.

Crapware: Originally coined and reported by Marc Orchant on his ZDNet blog, Crapware is comprised of programs that use valuable resources on a computer's hard drive, such as memory or RAM, which are not necessary and are unused by the computer owner. Crapware can range from software loaded onto the system prior to sale to programs that are downloaded from the internet without the knowledge or consent of the user. One of the more common examples of Crapware is AOL being installed on PCs by the PC manufacturer.

[Gizmodo]

Malware endemic even on protected PCs

Many users remain infected with computer malware – despite the fact that the vast majority are running machines protected by anti-virus software.

A study by European Union statistics agency EUROSTAT found that one third of PC users (31 per cent) had the pox even though the vast majority (84 per cent) were running security software (anti-virus, anti-spam, firewall) on their PCs. Of the survey's respondents, 3 per cent reported financial loss as a result of farming or phishing attacks, while a further 4 per cent reported privacy violations involving data sent online.

Bulgaria (58 per cent) and Malta (50 per cent) top the list of most infected users. By comparison, Finland (20 per cent), Ireland (15 per cent) and Austria (14 per cent) did relatively well.

Trojans (59.2 per cent) were the most common types of infected found on compromised PCs, followed by viruses (11.7 per cent).

A separate study by antivirus firm Panda, also published this week, tells a similar story. Half (50 per cent) of the computers scanned by Panda in January harboured malware. As with the EU study, Trojans were the single greatest problem – accounting for 59.2 per cent of problems). Machines in Thailand, China, Taiwan, Russia and Turkey were the most commonly affected. Panda's figures come from users of its Active Scan tool.

Panda published the study in order to illustrate its long-standing argument that the use of cloud-based architectures is needed in order to stand any chance of keeping the growing volume of malware producers by cybercrooks and mischief-makers in check. ®

[The Register]

The Cyberweapon That Could Take Down the Internet

A new cyberweapon could take down the entire internet – and there's not much that current defences can do to stop it.

So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.

Schuchard's new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don't notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.

A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike
The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

"Normal DDoS is a hammer; this is more of a scalpel," says Schuchard. "If you cut in the wrong places then the attack won't work."

An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.

Clearly, that's a problem. "Routers under extreme computational load tend to do funny things," says Schuchard. With every router in the world preoccupied, natural routing outages wouldn't be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.

"Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other," he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected
So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation's internal network.

Sitting duck
Whoever launched the attack, there's little we could do about it. Schuchard's simulation shows that existing fail-safes built into BGP do little to protect against his attack – they weren't designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.

Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 per cent of all autonomous systems on the internet, according to the researchers' model, and would require network operators to monitor the health of connections in other ways.

Schuchard says that convincing enough independent operators to make the change could be difficult.
"Nobody knows if it's possible to bring down the global internet routing system," says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause "significant disruption" to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

"The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale," he explains. "I doubt the internet would behave as described."

Schuchard and colleagues presented their findings at the Network and Distributed System Security Symposium in San Diego, California, two weeks ago.


[New Scientist] via [Gizmodo]

Secure your online life the easy way

There are add-ons, VPNs, and apps galore that offer a safer browsing experience—but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.
Image via jeff_golden.

Stash Your Passwords the Safe Way

If you're up for it, consider making LastPass your easy, any-browser, any-OS solution, or get into KeePass for even tighter, more customized security. Not up for installing something new and setting it all up? Then simply fix up your current browser's password-saving system.

• Firefox can save your passwords, but does so insecurely, so that anyone who grabs your laptop, or digs into your files, can read them. So be sure to enable the Master Password, and while you're at it, install Master Password + for a less-annoying, more-secure tool.
• Chrome can save your passwords, too, and also sync them through the Google cloud to any other Chrome browser you use. But be sure to protect your passwords with a passphrase.
• Internet Explorer, even in its pre-release ninth version, doesn't offer much in the way of password protection, beyond a toggle to ask you before saving each password. You're best off getting friendly with LastPass.

Enable HTTPS and Bettery Security Everywhere You Can

If you're surfing without an encrypted connection, you're leaving yourself open to, at best, a practical joke from friends; at worst, a breach of security in your social networks, email, or other accounts, which can lead to further harm. It seems like paranoia, unless you've had a tech-savvy friend prove to you just how open you are.
Most sites that you'd want to use now offer an encrypted connection option, usually termed as "HTTPS" or "SSL." If a site doesn't have that option, and it's holding your personal data, consider whether you really need to be using that service. Here are the services for which you should definitely enable the secure/https option:

• Gmail: Secure connections are usually a default now, but double-check: head into Settings, look under "Browser connection," and ensure that "Always use https" is enabled. (Be sure, too, that you've enabled two-step verification for your Google account, Gmail included.
• Facebook: Recently offered, and not enabled by default. To make use of it, click the Account link on any Facebook page while logged in, head to Account Settings, then, under "Account Security", hit the change button and check the box that says "Browse Facebook on a secure connection (https) whenever possible." Hit the Save button and head elsewhere.
• Full size
  Yahoo: Yahoo has a lot of really great, personalized account security options—so why aren't you using them? Logged into any Yahoo page, click under your name (in the "Hi Kevin" link), and choose Account Info. You'll have to enter your password again (but, hey, that's good!), but then you can set custom password reset questions, require an SMS code for verification, set up an alternate email address for account recovery, and many more really good options that are both free and easy to use.
• Hotmail: Now offered for everyone, though not fully supported across clients like Outlook and Windows Live Mail. If you're mostly using Hotmail in your browser, add an "s" to your Hotmail URL (https://hotmail.com), and you should see a screen asking you if you always want to use a secure connection. You probably do.
• eBay/PayPal: Log into PayPal, click the My Account tab, then click the Profile sub-tab. Look for the "Security Key" tab. For $5, you can order a passphrase that arrives in physical form, and without which PayPal won't let anyone come close to your money. For those who do a decent amount of trading, especially overseas, it's a worthy investment.
  

  Make It Harder for People to Pretend They're You

  Not every site offers encrypted connections or extra security options, but most offer some kind of password recovery scheme for your convenience. Then again, most of them are hinged around simple email confirmations, or security "questions" that someone could discover from, say, your Facebook profile.
  What's to be done about overly simple security features? Do your own thing. Create fake, snarky answers to security questions about your favorite teacher, your first pet, or easily discovered relatives. One thing I've done for security questions that seem halfway decent is to answer the opposite of whatever the question was—so, enter your least favorite teacher, your last childhood pet, and maybe not the mascot of the high school you attended, but the mascot of that school's arch-rival.
  

  Keep Insecure Plug-Ins from Exposing You

  
  
  
  
  
  Take a tip from Jeff Atwood, who found that, despite his best intentions, he had a fake anti-virus app installed on his machine. The culprit was a Java plug-in that allowed a site Atwood was passing by to sneak in some badly behaved code.
  The modern browser is full of plug-ins, some of them occasionally necessary. How does one prevent these house guests from inviting all kinds of crashers onto your system?
  First things first: head to Mozilla's super-handy Plugin Check page, which works with almost any browser, and see which of your plug-ins need updating now. You'll probably be a bit surprised, as even I was, evidenced by the screen capture above.
  Chrome has a few good options for keeping insecure plug-ins at bay. You can set them to "click-to-play" or disable them indivually, or enter about:flags into your address bar and enable the "Disable outdated plugins" option to automatically shut down plug-ins that have known vulnerabilities.
  Firefox will work some automatic plug-in monitoring into its future versions, as will other browsers; for now, consider making Plugin Check something you visit frequently—maybe even as one of your multiple startup pages.
  

  Pretend Like You're Always Surfing in Public

  
  
  
  
  When Starbucks went totally free with their Wi-Fi recently, we offered some good tips on staying safe on public Wi-Fi networks. They are, however, good tips for doing any kind of surfing. Turn off sharing, enable your firewall, and poke into a few other settings that are built-in, free, and easy.

[Lifehacker]

PayPal Freezes Account of Group Raising Money for Bradley Manning

PayPal has frozen the account of a group that has been raising money for the legal defense of accused WikiLeaks source Bradley Manning, citing a failure to meet PayPal’s requirement for nonprofit groups.
According to Courage to Resist, a military veterans advocacy group that has been raising donations for Manning’s defense, PayPal froze the account after the group refused to link its PayPal account to its checking account, which would give the online payment provider access to funds in the checking account.

“We exchanged numerous e-mails and phone calls with the legal department and the office of executive escalations of PayPal,” said Jeff Paterson in a press release. “They said they would not unrestrict our account unless we authorized PayPal to withdraw funds from our organization’s checking account by default. Our accounting does not allow for this type of direct access by a third party, nor do I trust PayPal as a business entity with this responsibility given their punitive actions against WikiLeaks — an entity not charged with any crime by any government on Earth.”

[PayPal has since unfrozen the account. See update at bottom of this post.]

The advocacy group has been raising funds for the Manning Support Network and has so far paid Manning’s defense attorney at least $50,000 from money that it raised on the soldier’s behalf. Paterson did not respond to a call for comment, but said in the press release that his group opened the PayPal account in 2006.

A spokesman for PayPal took issue with how the advocacy group has characterized the matter, saying this was not about Courage to Resist’s support for Manning. Company policy requires all nonprofit organizations with 501(c)3 status [.pdf] to link their PayPal account to a bank account. That provides a clear audit trail if the IRS or other government agency ever raises questions about an organization’s non-profit status.

“It’s pretty normal practice to be honest,” said PayPal spokesman Anuj Nayar. “It doesn’t normally cause the issues that it has caused in this case. We were very surprised to see the press release.”

He acknowledges that linking to the account allows PayPal to withdraw funds from the bank account as well, but said this is never done without authorization and is generally done only when PayPal has determined that a merchant or organization is engaged in fraud.

He added that the frozen account was not specifically a Bradley Manning legal defense account.
“The release makes it very much sound like they have a legal defense fund connected to PayPal and that’s what we’ve turned off,” Nayar said. “But there is no PayPal account for a Manning legal defense fund. It’s a Courage to Resist account.”

Asked why, if the Courage to Resist account was opened in 2006, PayPal hadn’t raised the issue of linking it to a bank account earlier, Nayar did not have an immediate response. He said only that nonprofit organizations are allowed to open accounts easily and quickly.

“We don’t limit them prior to opening and saying they’re a nonprofit before allowing them to open an account,” he said.

With regard to PayPal’s assertion that it’s only following company policy, Courage to Resist says it repeatedly requested and was refused formal documentation from PayPal describing its policy.

“They opted to apply an exceptional hurdle for us to clear in order to continue as a customer, whereas we have clearly provided the legally required information and verification,” the group wrote.

Manning’s defense is expected to cost about $115,000. In addition to the funds raised by Courage to Resist, WikiLeaks — after a protracted delay — contributed $15,100 to Manning’s defense in January.

Last December, PayPal froze the account of the Germany-based Wau Holland foundation, which manages the bulk of donations to WikiLeaks. PayPal asserted at the time that WikiLeaks was in violation of its terms of service.

“PayPal has permanently restricted the account used by WikiLeaks due to a violation of the PayPal Acceptable Use Policy, which states that our payment service cannot be used for any activities that encourage, promote, facilitate or instruct others to engage in illegal activity,” read a statement on PayPal’s website. “We’ve notified the account holder of this action.”

PayPal didn’t indicate the nature of the illegal activity that WikiLeaks allegedly promoted, but the move against WikiLeaks came after the site began publishing 250,000 State Department cables believe to have been obtained from Manning during the time he worked as an Army intelligence analyst in Iraq.

Manning was arrested last May and is currently in custody at the U.S. Marine Corps’ brig in Quantico, Virginia, awaiting a hearing in his case.

Updated at 6:30 pm: PayPal has released a statement on its blog saying it has decided to unfreeze the Courage to Resist account.

“Upon review, and as part of our normal business procedures, we have decided to lift the temporary restriction placed on their account because we have sufficient information to meet our statutory ‘Know Your Customer’ obligations,” the statement reads in part. “The Courage to Resist PayPal account is now fully operational.”

[Wired]