Security Watch | Matt Hines » February 2008

February 29, 2008 | Comments: (0)

SafeNet buying Ingrian

TAGS: Security

After a brief pause in the buying cycle, consolidation is happening again in the security sector, this time in the data encryption market.

SafeNet, which specializes in disk and file encryption, along with related networking and access control technologies, announced Friday that it has signed a deal to acquire Ingrian Networks, which is focused on encryption devices used in data centers and distributed computing environments.

Financial terms of the deal were not disclosed, but the companies said they expect the transaction to close in less than one month's time.

At first glance it would seem that SafeNet is making the deal in the hopes of becoming more of a soup-to-nuts provider of enterprise data encryption technology.

The move clearly expands its footprint into the market for large customers with the ability to lock-down information in bigger shops, managed services settings and throughout networks of geographically-separated branch offices.

From a high-level, the deal would also seem to help the company move in the direction that analysts are predicting the encryption segment will continue to evolve, with customers seeking providers that can either handle management of all forms of the technology, or via applications embedded into other forms of hardware and software.

SafeNet already has an embedded security product line.

Company executives also played up what Ingrian brings to the table in terms of ID and access management tools.

"This acquisition enables SafeNet to offer enterprise data security for database and server centers, and to become the first enterprise data protection solutions vendor to provide comprehensive offerings for the data centers and client devices," Chris Fedde, SafeNet's president said in a statement.

"Ingrian complements SafeNet's solutions and allows customers already purchasing identity and access management products to add more depth to their protection strategies and enhance their compliance posture," he said.

Cashing in on drivers such as the PCI DSS standard, company executives said that the combined will be uniquely positioned to offer both the database, file and mainframe encryption software provided by Ingrian along with SafeNet's existing products, which also include high-speed network encryption and content rights management tools.

Ingrian also brings along strategic technology partnerships with well-known platform providers including Dell, HP, IBM, Microsoft and Oracle.

Many experts believe that encryption will increasingly be utilized in an integrated fashion in the products built by such companies, rather than being installed and managed as independent technologies.

"As organizations continue to invest in encryption technologies, they are looking to expand the benefits of enterprise data protection throughout the data center and beyond the edge to mobile devices," said Michael Howard, Ingrian's CEO.

In a quote published as part of the press release announcing the deal, the companies quote at least one analyst as looking favorably on the marriage of the two encryption vendors.

Interestingly, Stratecast's Michael Suby observes that the firms should have an opportunity to cash-in on the demand for data leak prevention (DLP) technologies, which tend to use encryption as their de facto form of policy enforcement.

"Threat levels for electronically stored and transmitted data are increasing and it is important for information security vendors to be able to provide comprehensive DLP tools that are designed to work together and close gaps that could otherwise exist in protection schemes," Suby writes. "In this way, SafeNet's acquisition of Ingrian speaks to elements of the DLP synchronization of functionality that [we] believe is important for organizations to deploy."

Posted by Matt Hines on February 29, 2008 10:36 AM

February 28, 2008 | Comments: (0)

Pervasive Web apps flaws under siege

TAGS: Security

The volume of threats leveled at Web-based applications continues to surge and the sheer number of flaws existent in many such programs is making it easy for attackers to be successful in their efforts to steal data and generating income, according to the latest research report issued by Cenzic.

Researchers with the applications security testing specialist estimate that 71 percent of all the vulnerabilities reported worldwide during Q4 2007 were related to Web apps -- affecting everything from servers to browsers -- representing a three percent increase over the previous quarter.

The biggest issue contributing to the growth in the problem appears to be a lack of secure development skills among those people creating the programs.

For instance, of the reported flaws, applications developed using PHP accounted for roughly 30 percent of the vulnerabilities, a slight dip over Q3 2007 when they represented 31 percent of the security holes.

However, as the number of vulnerabilities found in the PHP programming language itself accounted for less than one percent of the flaws, most of the issues continue to arise purely from insecure code development practices, the company said.

Even worse, Cenzic contends that roughly 70 percent of all the reported Web applications vulnerabilities could be classified as "trivially exploitable."

Unless coders begin to improve their techniques for writing Web applications, the situation is likely to get worse before it gets better, experts said, as the continued demand among business users for new Web-based business tools and a lack of secure development skills fuels the issue.

"Some might look at the trend and feel good about the total number of vulnerabilities stabilizing. Personally, I think it's alarming. In 2007 alone, we had over 4,000 application related published vulnerabilities," said Mandeep Khera, vice president of marketing at Cenzic.

"While attacks through Web applications continue to occur at an astounding pace, very few organizations are doing anything about securing their Web applications," he said. "Corporations have to [put a stop to] this inertia before it's too late."

Cenzic reports that vulnerabilities in server or Web application server technologies accounted for approximately 10 percent of all the vulnerabilities in Q4 2007, a one percent gain over the previous quarter.

Flaws found in Web browsers represented some five percent of all the reported application flaws, down three percent from Q3 2007.

Vulnerabilities in multimedia applications including Microsoft's Windows Media Player and Apple' QuickTime accounted for only one percent of the flaws during the fourth quarter, a four percent reduction compared the third quarter.

Cenzic noted that vulnerabilities discovered in other browser-based tools were also down during Q4, with ActiveX-based issues accounting for less than one percent of the total volume.

The company reported that vulnerabilities that could lead to cross-site scripting and SQL injection attacks remained at almost the same level of frequency as in previous quarters.

However, the percentage of Web application security flaws as highlighted in the Open Web Application Security Project's (OWASP) Top 10 listings grew by almost 8 percent, including more frequent availability of directory traversal and cross-site request forgery (CRSF) problems.

The ability for attackers to utilize cross-site scripting remains a serious problem, Cenzic contends, illustrated by the fact that 21 percent of the reported Web application vulnerabilities during Q4 could be exploited by such threats, a one percent increase over Q3 2007.

The company said that cross-site scripting was the most frequently reported breed of Web application vulnerability during Q4 2007. And in the real world, versus only those vulnerabilities that are reported publicly, the company said it expects that the problem is far more prevalent.

As Khera noted, some of the numbers may appear to make it seem that things are actually improving in the world of Web applications vulnerabilities, but the problem has become so pervasive that the minor gains do not represent much real improvement.

"In 2007, we saw a number of creative and lethal security attacks; Web site hacking continued to gain momentum as hackers had a field day exploiting vulnerabilities across all geographies and across different types of Web applications," Cenzic said in its report summary.

"From SQL Injection Robot to a Russian Malware gang attacking a government site to exploitation of various Google vulnerabilities to various universities – attacks continue," the report states. "Financial gains continue to be the primary goal but we also saw attacks to steal intellectual property, student records, and a few defacement incidents. The bad guys go where the vulnerabilities are and Web applications are certainly appealing and inviting to these constituents."

Posted by Matt Hines on February 28, 2008 11:44 AM

February 25, 2008 | Comments: (0)

VMWare desktop vulnerability exposed

TAGS: Security

As virtualization is taking off, so are the concerns of security researchers who point out that any vulnerabilities in the software used to underpin the technology could create serious problems for end users.

Case in point, researchers at automated pen testing specialists Core Security passed along an advisory on Monday warning of a newly-discovered flaw in VMWare's increasingly popular desktop virtualization software that the company contends could lead to serious attacks by insiders.

According to the report issued by the firm's CoreLabs group, someone logged onto a guest system running on VMWare's VMware Player, Workstation and ACE products could potentially break out of their walled environment and gain access to the host computer system within which they are operating.

Once exploited, the issue could then allow attackers to create or modify executable files on the host operating system, according to the advisory.

Core researchers said that they found the vulnerability -- which VMWare has already been made aware of -- while looking into a previously-disclosed security issue reported by iDefense Labs in March 2007.

Through the use of a specially-crafted PathName to access a VMware shared folder, Core said, it could be possible to subvert the entire host system running the affected VMWare products, including the ability to create or modifying executable files in sensitive locations.

The company contends that the flaw results from "improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism," which it said in turn can transfer into the host machine's file system.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," Iván Arce, Core's CTO, said in a research note.

"Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture," Arce said. "This vulnerability provides an important wake-up call that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

Core reported further that nature of the reported VMWare flaw, which it tabbed as "a path traversal vulnerability" could be found in many other types of Web server software and applications, and that it involves the specification of pathnames that include the ".." substring to escape out of folder access restriction.

"To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from un-trusted sources," Core said.

Researchers said that affected VMware products that utilize the shared folders feature cannot effectively "sanitize" malicious input in the PathName parameter.

"Although stricter input validation was implemented to fix the vulnerability disclosed previously, the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings," the advisory said.

The vulnerability is only exposed to attack when the shared folders feature is turned on (although it is allowed by default) and at least one folder on the host system is tuned for sharing.

The company advised that customers looking for a workaround to lower their risk should merely disable shared folders in all installations of the vulnerable software. If that is not an alternative, configuring shared folders to allow read-only access to the host folder may also help.

For its part, VMWare said that it will address the vulnerability within the normal update release schedule of the affected products.

In the meantime the company advised customers to disable shared folders for all virtual machines that use the feature, configure the system for read-only access, or implement appropriate file system monitoring and access control mechanisms on the host operating system until they can upgrade to unaffected versions of the products.

Posted by Matt Hines on February 25, 2008 02:26 PM

February 21, 2008 | Comments: (0)

Spammers gaming Google advertising

TAGS: Security

Security researchers at e-mail and DLP filtering specialist Proofpoint are reporting a new form of fraud being carried out over Google's online advertising network.

According to the experts, schemers are using spam messages designed to send traffic directly to specific banner ads they control via the Google AdWords program in a new method of tricking unsuspecting users into providing them with ill-begotten income.

The idea is that once someone clicks on such a link, many of which are being advertised as URLs representing legitimate online retailers or pornographic Web sites, the responsible parties simply collect the revenue they would garner if someone visiting a Web site they control could be convinced to click on such an ad.

Basically they're cutting out the middleman, or the need to create fake sites to drive clicks to their ads.

Google typically moves quickly to disable any ads on its network that are found to be abusive of its policies, which clearly forbid behavior such as that described by Proofpoint.

Company representatives didn't immediately respond to inquiries regarding the Proofpoint report.

Despite Google's continued efforts to eradicate opportunities for people to commit click fraud via its ad networks, Proofpoint execs said that the system is still rife with opportunities for misuse, even if the scams can only be carried out for short periods of time before the search giant sniffs them out and shuts down the related sites or banners.

Proofpoint said further that it has already observed spammers using generalized redirect URLs to generate income using AdWords. By modifying certain parts of the Google AdWords URLs the scammers attempt to redirect users to sites they control, not those being advertised in the ads.

In some cases, the URLs being seen by the company redirect people to malware-infested sites hosting Trojan-downloaders or botnet programs. In other cases they merely lead to other more general, spam-driven sites, Proofpoint said.

"The [AdWords] system is open to various types of abuse; [the banner ad spam is] a clever obfuscation technique as less sophisticated spam filters, seeing the Google.com URL might interpret the URL as being legitimate and don't filter the message as spam," said Rami Habal, director of product marketing at Proofpoint.

"Our team has been expecting spammers to start exploiting the AdWords system in these sorts of ways," he said. "We've already seen Google searches exploited in a similar way through 'I feel lucky' URLs, and [we] were a little surprised it took [fraudsters] this long to catch on."

Posted by Matt Hines on February 21, 2008 01:35 PM

February 14, 2008 | Comments: (0)

Spam and malware are for lovers

TAGS: Security

Even if you haven't been infected by the charms and socially transmitted diseases of the CyberLover attack, there's likely plenty of Valentine's Day love awaiting you in your in-box and online today.

As has become their wont to do, the vast array of sleazy cyber-criminals have spent their time sweating through the lonely night by the lights of their computers to create just the right romantic messages to lure the lonely hearted and the love-struck.

Much as they enjoy stuffing our stockings with botnets, rootkits, SQL injections and social engineering gimmicks at that most wonderful time of the year, the V-Day assault has become something of an annual tradition.

So, rather than assuming that some long-lost love, or someone still close to your heart has put together a gripping tribute detailing their affection for you via e-card, e-mail or Web link… think twice before opening anything unsolicited, because there's a good chance that it's a trap.

Not that true love ain't the same -- damn the cynic in me.

And much as the mal-crowd has made it an all out effort to take advantage of the Valentine's season, security vendors from all corners of the globe are sending out warnings about various threats.

In that sense it would seem that love's not blind… at least not for security researchers.

But let's face it, 99 percent of them are dudes, so the ability to cut through the romantic to find the dark inner core shouldn't be too surprising. Perhaps I've had too much dark chocolate already.

So, a roundup of the threats that may assail you on today this day of lovers and lechery:

On the spam front, because nothing says I love you like unsolicited e-mail linking to malware sites, BitDefender is warning of two major campaigns, one of which involves romantically-oriented pharmaceuticals, and another promising "Perfect gifts for Valentine's Day." (Now there's one that's likely to hook some guys at this late hour for shopping)

The pages opened by the included URLs take users to e-commerce sites advertising free gift cards, flowers and music, among other themes. You should know by now that not even love is free.

Particularly devilish iterations of the spam carried adware and are being driven by the promise of love-themed e-cards. By downloading some free smiley avatars along with the e-card, bang, you just got owned.

Over in Russia, the boys at Kaspersky are tracking some large-scale mass mailing Valentine's Day spam as well. The messages currently account for roughly 5 percent of all mail traffic being sniffed by the AV company.

The text of the messages mostly ask the reader to click on a link to view a selection of Valentine's Day e-cards. However, by doing so, users will instead receive the Packed.Win32.Tibs.ic. malware virus. How sweet.

The links included in the messages in question are displayed in the format "http://xxx.xxx.xxx.xxx," where "xxx" is a number, which is unusual for this type of mailing, the company said.

"We presume the peak in Valentine's Day spam is still to come," Andrei Nikishin, director for IT security outsourcing at Kaspersky Lab, reports. Charming!

And if you were worried that the P2P botnet Storm Worm Trojan forgot what a wonderful year you've had together, sharing so many moments, fear not.

F-Secure's research labs reports that the Storm botnet is sending another round of Valentine's Day spam using headlines such as "Love Rose," "Rockin' Valentine" and "Just You," along with the same filename, which directs recipients to a malware-infested Web site.

Because who needs candy hearts when you've got botnet-induced spam runs? Ah romance.

At Sophos, researchers are predicting that millions of e-mails will be sent over the course of St. Valentine's Day, many of which will include malware-ridden attachments or links to nefarious Web sites.

One such example seen by Sophos researchers is a romantically-themed email which directs unsuspecting computer users to a website containing romantic images, alongside a variant of the Dorf malware (W32/Dorf-AW) another Storm variant.

Other e-mails with subject lines including "I Like You", "Powerful Love", "Tower of Love", "You Stay In My Heart", "Hugs And Kisses", "Val-ANT-ines", "Just You", "What is Love?", "The Love Train", "My Heart", "You're My Valentine", "Just You", "My Love For You", "Love Rose", "World Love", "You Stay In My Heart", "A Rose To Say...", "I Love You", "Valentine Friends", "Love Rose", "Thinking Of U All Day", "Valentine Invitation", and "Happy Valentine's Day!" link to a site designed to infect PCs in order to send more spam, launch denial-of-service attacks, or commit identity theft.

Security firm BD-BrandProtect offers some tips for consumers to protect themselves from these threats:

-Do not open any e-cards from someone you don't know.
-Educate yourself on any potential attacks that are already known out there.
-Make sure you have the latest security software installed on your computer.
-Visit legitimate e-card services to se any potential scams they are aware of.

Happy V-Day. Feel the love.

Posted by Matt Hines on February 14, 2008 08:32 AM

February 12, 2008 | Comments: (0)

ID theft on the decline

TAGS: Security

Even with a robust underground market for stolen personal data being fed by a seemingly endless stream of data leakage events and electronic crimes, new research indicates that incidents of identity theft actually dropped in sheer volume during 2007.

According to the 2008 Identity Fraud Survey Report released by Javelin Strategy & Research, identity fraud fell by an estimated 12 percent in the U.S. during 2007, compared to 2006, representing a reduction of $6 billion in the amount of money stolen through such scams.

Based on the company's estimates, drawn from interviews with 5,000 individual consumers, some 300,000 fewer adults were victimized through identity fraud in 2007 than in 2006. The report projects the total annual cost of identity fraud in 2007 at $45 billion, down from $51 billion last year.

The findings actually reinforce previous iterations of the report, as the number of people affected by ID fraud has dropped significantly since Javelin began conducting the research in 2004.

According to the firm, roughly 4.25 percent of the adult population of the U.S. was hit with ID fraud during 2004. In 2007, only 3.58 percent of adults were targeted by the crimes.

Javelin contends that factors contributing to the decline in ID fraud attacks include far greater public awareness of the problem, and improvements being made among businesses that hold large amounts of sensitive consumer data. As even more work to stay abreast of the issue is completed, the research firm said that it expects the fraud reduction to continue, although likely at a slower pace.

Despite the seemingly positive evidence about the drop in the overall popularity of ID fraud, the dark side of the report is that those individuals who are being victimized by the schemes are getting fleeced for more of their funds.

According to the report, the cost per consumer for ID fraud, derived by estimating all the money individuals lost and spent while being attacked and attempting to regain their credibility, rose significantly during 2007.

The cost per consumer in 2007 averaged $691, an increase of 25 percent, over the figure of $554 reported in the 2006 report.

"The 2008 Report confirmed what we believe to be true: that while fraud is declining, it is still a concern for the American public," James Van Dyke, president and founder of Javelin, said in a report summary. "The good news is the leadership role many businesses are taking in educating consumers about ID fraud risk factors is paying off. Still, fraudsters are getting creative and leveraging new techniques to commit fraud, so Americans need to be as diligent as ever in protecting their personal information."

The report also contends that while phishing, keystroke-logging malware and other common forms of electronic ID theft still represent the lion's share of incidents that attackers are also turning to older channels, namely the mail and the telephone, to carry out more of their scams.

IDs stolen via mail and telephone transactions grew from 3 percent of incidents in 2006 to 40 percent in 2007.

The most common tactic method used by fraudsters to that end was so-called "vishing," which involves the use of voice over Internet protocol (VoIP) and other phone systems to cull information from targets.

Rather than trying to trick someone into visiting a fake Web page to enter their personal data, instead schemers simply call people up and pretend to be their banks, or other types of businesses, and convince them to share sensitive information.

The report also uncovered a regional aspect to ID fraud, with attacks less frequent on people living in the Northeast U.S., while residents of California, Delaware, Idaho, Illinois and West Virginia are at the highest risk.

Posted by Matt Hines on February 12, 2008 01:36 PM

February 11, 2008 | Comments: (0)

Users fear for mobile security

TAGS: Security

As the wireless industry convenes in Barcelona this week for the Mobile World Congress confab, only a handful of relatively innocuous attacks aimed at the handheld devices and applications being feted at the event are even known to exist.

Yet, end users are clearly already concerned that the same type of dangerous and unpredictable security environment that has emerged around more traditional computing platforms in recent years will soon find its way onto their mobile devices -- at least according to McAfee.

Based on the IT vendor's Mobile Security Report 2008, which revolves around over 2,000 interviews conducted with consumers worldwide in partnership with researchers at Datamonitor, McAfee found that a majority of end users are already keeping an eye out for potential wireless threats.

Of those interviewed, some 58 percent said that they already fear different forms of mobile attack, while 86 percent recognized the need for concern around issues of mobile security.

The truth is that has to be good news for everyone -- and not just vendors like McAfee who want to take advantage of the trepidation to sell mobile device protection technologies. For the healthy dose of fear that exists around mobility at the very least indicates that people are aware of the notion that they will be targeted via their handhelds down the road.

In the world of desktops and laptops, research clearly indicates that many users still haven't figure out how to avoid potential hacks and social engineering ploys, despite the avalanche of threats that have already been documented.

Of the leading security problems that end users expect to encounter on their handhelds, many are attacks related to extended services that can be accessed via the devices. Over 72 percent of those surveyed said that they harbor some security concerns related to services including wireless banking and multimedia downloads.

Individually, the banking and mobile payments arena is the segment where most people feel the might get attacked, with 55 percent of respondents highlighting their expectations for such threats. Roughly 40 percent of those interviewed expressed worries over mobile vouchers and ticketing, and mobile multimedia downloads such as ring tones, music and games.

Of particular note, in regions where wireless micro payments (buy a Coke with your phone, etc.) are already popular, people said they worry that attackers might target the applications. In Japan, for instance, a leading micro-payment center, almost 60 percent of respondents said they are at least somewhat fearful of payment-related threats.

The mobile Web is another area of concern for all users, with 80 percent of those who access the Internet on their mobile devices wary that the practice could make them more vulnerable to attacks.

One of the big questions in the mobile security space remains whether or not users will be willing to pay for anti-malware and data protection tools for use on their handhelds, or whether they will expect the phones to come pre-loaded with onboard defenses from phone makers and carriers.

While companies like McAfee would clearly like to see the same model for mobile devices that exists on the PC, with people buying and continually updating AV and security applications their handhelds, customers are already looking for their device and service providers to tackle the problem.

Among respondents to the survey, 83.5 percent said that they run separate security software on their PCs, but 79 percent said that they don't utilize similar tools for their mobile devices. Just below 60 percent specifically said that they expect mobile operators to take primary responsibility for protecting their devices and services.

"The study found that mobile users have a very clear preference of who should be responsible for ensuring the security of mobile devices and services and how it should be paid for," Victor Kouznetsov, senior vice president of McAfee Mobile Security group, said in a report summary. "As such, mobile content certification and mobile application assurance will become increasingly essential in maintaining user trust and confidence."

Posted by Matt Hines on February 11, 2008 11:55 AM

February 06, 2008 | Comments: (0)

Botnets thrash, peddle celebrity trash

TAGS: Security

There may be a range of new technologies on the market aimed at thwarting the botnet problem -- including tools built by startups dedicated solely to addressing the threats -- but that hasn't stopped architects of the attacks from churning out scads of powerful new variants.

In what should come as a surprise to no one, even as the technological underpinnings of the newest botnet threats become more complex and harder to fight, attackers are still cashing in on the time-honored thematic platform of celebrity skin to lure end users into getting suckered.

According to researchers at BitDefender, a new spam-driven botnet that has appeared in the last week is tempting people with the promise of Web videos featuring explicit footage of celebrities including Paris Hilton and Britney Spears.

Once someone clicks on an e-mail link to the site offering the videos they are directed to a malware-infested URL that downloads and executes more rootkit or spambot malware on their computers, and then forwards itself to other people in affected users' e-mail directories with links back to the Trojan downloader site.

The technological twist exercised in the celebrity skin spam botnet involves the use of Google search results to help the attack evade security filters. So, rather than e-mailing people a link to the Trojan site, the botnet-breeding program merely adds all the normal Google search result code in front of the URL to help sneak it past monitoring agents.

I'm sure that Brittney Spears wishes it could be nearly as simple to sneak her way off of the psychiatric unit at Cedars-Sinai Hospital where she's been living of late. One could reasonably assume that Paris Hilton might actually relish the added attention.

In a more technically-advanced breed of threat that has surfaced within the last several weeks, experts at Damballa -- an anti-botnet technology specialist -- have detected what they are calling the "stealthiest, most robust and coordinated" peer-to-peer (P2P) iteration of the attacks that they have observed to date.

According to the Damballa researchers, the new botnet breed, dubbed MayDay, significantly ups the ante in terms of its ability to circumvent anti-virus technologies and propagate itself across corporate networks. MayDay may have the potential to become even more dangerous than the P2P botnet labeled as the Storm Worm, which is still causing major headaches over a year after its initial discovery.

MayDay has already found its way into multiple Fortune 50 companies, Damballa claims, and if anyone is using anti-botnet tools it is likely to be those fat cat customers. Major ISPs, educational institutions and other large enterprises are also showing up on the botnet, the researchers said, with organizations in the U.S. hit hardest by the attack.

The botnet works by using HTTP traffic to communicate with its command and control center, and ICMP traffic to communicate among infected machines. Damballa reports that there is also some peer-based TCP communication between compromised devices, but noted that those connections have yet to be put into use for nefarious purposes.

"There's clearly increasing sophistication in the technologies that botmasters are using, they've started reusing existing infrastructure to build their own private IRC servers with enhanced features aimed at throwing off security researchers," said Tripp Cox, vice president of engineering at Damballa.

"The botnet creators are also using encryption to make their protocols even harder for researchers to re-engineer," he said. "As long as users demand the ability to update their computers' capabilities at any time it's going to be very difficult to get security controls in place to stop these botnets from spreading."

Posted by Matt Hines on February 6, 2008 11:59 AM

February 04, 2008 | Comments: (0)

Big trouble with teen hackers

TAGS: Security

Teenagers, including children as young as eleven and twelve years old, are increasingly becoming involved in serious cyber-criminal activity that exposes themselves and the users they target to a full range of dangerous repercussions.

According to Chris Boyd -- a well-known security researcher who works for FaceTime Communications and was in Washington D.C. last week presenting at the Anti-Spyware Coalition's latest confab -- he and other white hat hackers are coming across a growing number of underground malware distribution forums wholly populated and operated by teens under the age of 16.

When the security industry meets for the annual RSA Security conference in April, Boyd plans to share more of his research into the topic.

And while these groups of younger hackers may be less experienced, the fruits of their labors are often just as nefarious as the schemes being run by older professionals. The teen-run forum sites are rife with the same types of malware exploits and stolen credit card data that adult cyber-criminals use to ply their trades, Boyd said.

One of the biggest problems with the scenario, he said, is that many of the teen hackers don't appear to understand the seriousness of the activity that they're getting involved in.

Even worse, most aren't going to great lengths to disguise their real-life identities, which could lead to them being arrested or taken advantage of by more experienced hackers looking for victims, he said.

"Most have absolutely no idea of what getting they're into, they're swapping stolen credit card data using their real names and photos, they're committing real crimes and leaving huge paper trails back to their real identities," said Boyd, who also goes by the name "Paperghost" in conducting his underground research.

"The scary thing is that these are kids with very strong coding skills who have also already mastered the social engineering techniques needed to trick other people -- who are often times the other kids using these sites, into falling for all sorts of attacks," he said. "You even have kids putting up tribute sites with their real names bragging about all the crimes they've committed, selling t-shirts about it, and when you talk to them they don't have a clue of how much trouble they might be getting into."

Boyd has spent a significant amount of his energies of late infiltrating the underground "kiddie" sites and trying to show the youngsters the errors of their ways by pointing out how easily they can be caught, and how simple it is to trace their activity back to their real-world lives.

In many cases, said the researcher, the young hackers are pointing directly from their underground malware activity to their personal pages on sites like MySpace, which could make it easy for law enforcement agencies tasked with investigating their exploits to find them and pursue them in court.

Added to any legal trouble the younger hackers might get themselves into is the fact that there are also older, more experienced hackers trolling the teen underground forums to recruit the youngsters as functionaries for their own more-advanced malware schemes.

The adult hackers know they can find willing accomplices who are easily misled into committing more serious crimes than they realize, and who will eventually be the ones caught holding the bag when investigators begin piecing any charges together, he said.

Boyd said that many of the teen hacking forums are based around the culture of online video games, and that the malicious activity often grows out of the hacking of player accounts, or the sharing of programs that can be used to cheat at the applications.

It doesn't take much for teen hackers -- most of whom appear to be based in affluent western countries like the U.S. and U.K. -- to segue from cheating at games to stealing credit card information, said Boyd.

"It's amazing that these are sites being run by kids; you go in and there is an endless supply of stolen credit card data, and they've got sophisticated cross-site scripting tools and professional phishing kits that they're using to get even more data," he said. "And on the same sites they're posting all their real personal data and lists of sites that they've hacked."

In an interesting social twist, some of the young hackers also appear to have decided to take the law into their own hands to shut down any shadowy domains they come across online, including child pornography sites.

However, despite the noble aspirations, the endgame is a situation where you have children coming into direct contact with people controlling the sites, saving illegal content to their computers, and potentially making it harder for real world investigators to go after the same individuals.

"You have these more self-righteous kids trying to deface child porn sites, and not only are they being exposed to the content, but they're saving images and the like that could get them into legal trouble, and it makes it harder for the police by destroying evidence, it's a bad situation by anyone's guess," Boyd said. "You have the idea that some of the people running the sites could figure out who these kids are, it all gets very dangerous very quickly."

While the researcher has been trying to work with online hosting companies to help shut down the underground kiddie hacking forums, Boyd said that the firms remain a major obstacle, refusing to intervene unless they absolutely have to, even when there's evidence of significant criminal activity.

As a result, the expert said that the most effective manner for convincing those teens involved to stop is by calling them out by name and showing them how easily their real identities can be uncovered.

"Typically you don't want to give clues to forum operators why they're being taken down, but in this case we're trying to communicate with them directly, to show them that we know who they are and what they are doing, and that the cops could do the same thing," Boyd said. "If you hit them hard and fast and take down their sites and shame them, at least in some cases it seems like they're getting scared off."

In the best case scenario, Boyd said, several of the aspiring technophiles have been converted into white hats and convinced to begin helping security researchers infiltrate their ranks and take down other teens' malware campaigns. The researcher said he has at least one such teen working directly under his supervision contributing to an anti-hacking project.

It's worth noting of course that many of the white hat hackers you run across today -- people in their thirties who present at conferences, who are running their own security software companies or working for major industry names -- admit that they got their start acting as script kiddies who thrilled in the defacement of public sites before going legit.

For our sake, hopefully a lot of the younger hackers of today will grow into the researchers of tomorrow. It sounds like we're going to need the help.

Posted by Matt Hines on February 4, 2008 09:11 AM

February 01, 2008 | Comments: (0)

Calif. Rep. wants tougher breach, ID theft laws

TAGS: Security

California State Senator Joe Simitian -- a Democrat representing the tech-heavy Palo Alto constituency -- is back on the war path fighting for consumer rights relating to the use of information technology, in this case seeking stronger laws regarding data breach reporting guidelines and promoting new legal tools for use in punishing identity thieves.

Simitian -- who still has four individual bills under consideration by the state legislature aimed at curbing the use of RFID technology in government-issued IDs and documents, in the name of protecting individual privacy rights -- has pushed two new bills through the California State Senate that address breaches reports and identity theft, respectively.

All six of the bills are now waiting for potential approval by the California State Assembly.

With Senate Bill (SB) 364 -- passed by the Senate in a vote of 30-7 -- Simitian is pushing for a law that would require companies that experience breaches to send individuals whose data is exposed a "clear, informative notification letter," versus the vague notifications they are allowed to distribute under California's landmark 1386 measure, which the legislator also helped author.

California 1386 is the data breach notification law passed in 2003 that arguably triggered the entire data security revolution and spawned markets including the DLP sector by forcing companies to inform consumers that are affected by exposures and report the incidents publicly.

More than 40 other states have adopted similar laws since 1386 was initially passed.

Simitian argues that while the existing notifications are helpful, there are no standard guidelines for what types of information must be included in the notices, allowing some firms to "sugarcoat" the details or twist it up in legal jargon that most consumers won't understand.

If passed, the measure would require companies to provide toll-free telephone numbers of the major credit reporting agencies, the name and contact information of the business that has experienced a breach, the type of information that might have been taken, the date of the breach and of its discovery, a general description of the breach and the estimated number of persons affected.

Bill 364 would also require the state to establish a central reporting site to catalog security breaches.

"No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next," Simitian said in a statement. "The premise is simple; what you don't know can hurt you. Ignorance is not bliss. And you can't protect yourself if you don't know you're at risk."

By passing the bill into law, California would greatly improve the reach of 1386, he said.

Some data security experts are already backing the measure.

"Senator Simitian's amendments will reduce the incidence and severity of breaches, because security professionals learn from incidents at other organizations, and take action at their own companies to fix problems or recognize previously unforeseen risks," said Chris Hoofnagle, senior staff attorney at the Samuelson Clinic at the Technology & Public Policy Clinic at the University of California - Berkeley School of Law.

In his second piece of legislation, Bill (SB) 612, Simitian and co-authors Dave Cogdill and Bob Margett, both Republican state senators in California, are seeking passage of a law that would allow identity theft to be prosecuted in the county in which a victim lives.

Currently, California law permits prosecution in the county in which the theft occurred or the county in which the information was subsequently used, which makes it harder for those people affected and any involved prosecutors to seek justice against individuals caught stealing identities, the bill argues.

SB 612 received a unanimous 40-0 vote of favor from the California State Senate.

"Too often identity thieves can act with impunity simply because their victims live in a remote community, expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," Simitian said in a statement.

SB 612 would permit, but not require, prosecution in the county where the victim resides, with a judge eventually deciding where to hold the trial.

Experts have also endorsed that piece of legislation.

"Senator Simitian's legislation puts some teeth into our existing laws regarding identity theft. Without prosecution, there's no deterrent," Lenny Goldberg, a lobbyist for the non-profit Privacy Rights Clearinghouse, said in a statement.

Posted by Matt Hines on February 1, 2008 03:28 PM