Thursday, October 16, 2008
Organised crime syndicates are raking in fat profits in cyberspace, and becoming one of the biggest online menaces.
Such professional cyber gangsters are among the quickest to use new technology to, say, hijack and loot online banking or video game accounts. Some are making big bucks renting out hacking tools to aid less skilled parties in causing havoc, say security experts.
According to Ministry of Home Affairs (MHA) information technology security consultant Yu Chien Siang, such crime syndicates have been quick to realise the promise of cyber crimes - which can be more profitable than peddling drugs in the real world - and are swiftly 'reinventing' themselves to become high-tech hacking gangs.
Mr Yu was the keynote speaker at the 17th annual GovernmentWare infocomm security conference held at the Suntec International Convention and Exhibition Centre last week.
Just last month, many fans of online game Maple Story found their accounts hacked into and looted by one such hacking gang, reportedly of Chinese origin.
To guard against such threats, the Government is beefing up cyber security here. The three-day GovernmentWare event, which is expected to attract over 600 infocomm security professionals, is one effort to raise awareness and equip Singapore professionals with the knowledge and tools to counter such threats.
Topics covered include new cyber threats, developments in fingerprint and facial-recognition technology as well as wireless security.
The MHA has also matchmade tech giant Microsoft with the Singapore Management University to improve the quality of infocomm security education here.
Beginning next January, a module on computer forensics will help infocomm undergraduates understand ways of tackling a security breach.
Governments and companies that fail to fend off these cyber attacks will pay a terrible price, said Senior Minister of State for Law and Home Affairs Ho Peng Kee, who was the guest of honour at yesterday's event.
If critical government information infrastructure like Singapore's SingPass authentication system is breached, the effects could be disastrous, he said. SingPass is the login system used to access important government electronic services.
Hackers and cyber gangsters have already wrought havoc overseas, said Professor Ho, citing the example of the Georgian cyber war of two months ago.
When Russian tanks rolled into Georgia in early August, a shadowy army of Russian computer hackers hammered at Georgian government websites in an effort to crash them.
And the launch of the Apple iPhone last year was 'rapidly followed by attacks that exploited its vulnerabilities...the very innovation which is used to improve our lives can also be used by cyber attackers in a disastrous way,' said Prof Ho.
On the flip side, he said, governments and companies that can handle security well stand to reap significant economic benefits.
For instance, a 'secured cyber nation will have a comparative advantage in attracting foreign investments'.
Companies, said the MHA's Mr Yu, will also be able to introduce new and more efficient business, for example, allowing their employees to work from home or accepting electronic documents instead of physical ones.
Saudi-owned Al-Arabiya television seems to have been the target in a Shiite riposte for damage recently inflicted by Sunni hackers on hundreds of sites connected to the Iranian government and Iraq's most senior Shiite cleric. Attacks and counter-attacks of this sort are not a surprise anymore, but they remain a disappointment. Just as then-new mediums like radio and satellite television prompted "wars" in which supporters of one movement or another sought - by means both fair and foul - to counter the arguments and limit the influence of their rivals, so does the Internet now constitute a new venue for "ideological" battles that fly in the face of what the open interchange of ideas is supposed to be all about.
What is different this time is the relative ease with which able hackers can and do conceal their identities, which makes it very difficult to control the practice. Those who understand the technology and the architecture of the Internet have little trouble avoiding detection - and can even cause their work to look like someone else's with a few key strokes. Participants in cyber-warfare are not hindered by borders, either, so expect the contest to continue - and even to intensify.
To be sure, the phenomenon is troubling, especially if one happens to be on the receiving end of a cyber-attack, as happened to this newspaper a few years ago when Israeli hackers attempted to silence our Web site. Around the same time a similar assault was launched against Hizbullah's site, but the subsequent taking down of the Israeli Foreign Ministry's seemed to deter further adventures.
This last example gives cause to believe that the phenomenon might not be a wholly negative one. It is surely a waste of talent to have such capable people spending their time and effort on destroying and restricting things - especially ideas - instead of building and distributing them. It is also a shame when a medium with so much potential to let people from opposite sides of the world (or of a political dispute) engage with one another is, instead, used for mutual sabotage. As the current Sunni-Shiite contest reminds us, however, there is no shortage of either ability or enthusiasm out there among the (presumably youthful) hackers. As in so many other spheres of what passes for the modern Middle East, what is missing is a way to channel these talents into more productive endeavors.
The cyber-war, then, is little more than another facet of a malaise that has gripped the region for decades. Absent competent and legitimate governance, our youth are drawn to myriad activities that serve as temporary placebos for the satisfaction they might derive from educational and/or career pursuits available to their peers in more fortunate parts of the world. From the point view of ruling political elites, this is a good thing because it helps ensure that young people develop neither an awareness of who their real enemies (both foreign and domestic) are, nor a habit of organized and sustained action to better their societies by demanding - or even providing - better leadership. For everyone else, it is just the latest headache or the latest way to relieve the boredom of unemployment.
Microsoft pushes out 11 security bulletins as part of October's Patch Tuesday. Microsoft also unveils its Exploitability Index, which includes information about vulnerabilities that are likely to be exploited. Four of the 11 bulletin cover security issues are rated critical.
Microsoft released 11 security bulletins for Patch Tuesday Oct. 14 as well as a new measuring stick to judge them by.
The "Exploitability Index" appears as a new table on the monthly Microsoft Security Bulletin Summary. Next to each bulletin is an additional rating based on how likely it is that the vulnerability will be exploited. An additional column is for notes with extra information.
"Exploitability Index is way to provide more information to aid customers in their risk management process," wrote Steve Adegbite on the MSRC (Microsoft Security Response Center) blog.
Of the 11 bulletins, four are rated "critical." The critical bulletins cover remote code execution issues in Internet Explorer, Active Directory, Host Integration Server's Remote Procedure Call Service and Office Excel.
The Internet Explorer bulletin deals with five issues that can be exploited if a user views a malicious Web page. Two of the five—an event-handling cross-domain vulnerability and an HTML element cross-domain vulnerability—are prime candidates for the development of consistent exploit code, according to the index.
The Excel bulletin fixes three vulnerabilities, including a formula parsing issue that is also considered a likely candidate for exploit code. The Host Integration Server vulnerability was declared likely to be exploited as well, and affects versions 2000, 2004 and 2006.
But administrators should not underestimate the Active Directory issue, which Shavlik Technologies CTO Eric Schultze warned is dangerous.
"If I am a customer running a network with Windows 2000 Active Directory, I would be very scared because now any user on my network can become domain administrator and can take over my network," Schultze said. "I think Microsoft is only somewhat saved by the fact that they believe that not many people are running Windows 2000 Active Directory anymore. I would think that you still probably have quite a bit out there."
Six of the remaining bulletins were rated important, and address issues in the Microsoft Ancillary Function Driver, the Windows Kernel, Microsoft Server Message Block Protocol, Virtual Address Descriptor, Message Queuing and the Windows Internet Printing Service. The final bulletin is rated "moderate" and fixes a vulnerability in Microsoft Office that could lead to data disclosure.
Malicious cyber activity has grown more prevalent and sophisticated during the past year and threats come from organized crime groups, terrorist organizations and foreign governments, according to a senior FBI official.
The increase in activity and sophistication poses a criminal and national security threat and has raised concerns from the government, the private sector and the country's overseas partners, Shawn Henry, an assistant director of the FBI who runs its Cyber Division, told reporters today. Henry said the current threats involve denying access to networks, compromising or changing data to affect its integrity and the theft of data.
“The amount of information that has been stolen is significant. There are no shortage of actors that are interested in stealing the data from a criminal perspective and from a national security perspective,” he said. “Over the past year the malicious activity has become much more sophisticated, much more prevalent.”
Henry also said the use of botnet attacks to spread malicious code and access networks continues to increase.
Henry said he thinks a greater awareness by criminals that cyber activities offer them access to more potential victims, greater potential rewards and the perception that the threat of incarceration is not as great as that for physical crime have led to the recent increase in financial losses from cyber crime.
Henry also said a “couple of dozen” countries that have an interest in stealing information from the United States have turned to electronic means to steal that information, but he declined to identify those countries.
“We’ve seen organized groups that have gotten together virtually where they have never physically met in the real world, but they get together online in a collaborative environment,” Henry said.
He said the FBI has tried to prioritize and forge partnerships.
“From a prioritization perspective, we can’t respond to every attack,” he said, adding that the volume of attacks was substantial and the attacks were sophisticated.
Henry said forging partnerships with state and local authorities, the private sector and foreign governments was also critical to fighting cyber crime.
In January, President Bush signed a classified presidential directive implementing the Comprehensive National Cybersecurity Initiative (CNCI), the government’s multi-year, multi-billion dollar effort to secure cyberspace.
When asked about FBI’s role in the CNCI, Henry mentioned the National Cyber Investigative Joint Task Force that he said will allow the FBI to improve situational awareness regarding investigations in the bureau's field offices. In addition, he said if the Homeland Security Department identified an intrusion in the .gov network, the FBI would perform the investigation.
Henry said since the inception of the the Internet Crime Complaint Center, which the FBI co-founded in May 2000, the bureau has received more than a million online complaints. The center currently receives from 18,000 to 20,000 complaints each month, or about 200,000 complaints annually.
Cellphones will become members of botnets. VOIP systems will get hit by blackmailing denial-of-service attacks. The cybercrime economy will thrive, even as the global economy struggles.
And today, around 15 percent of all computers online are infected as bots, up from 10 percent last year, according to the Georgia Tech Information Security Center's (GTISC) new report on emerging cyber threats for 2009 and beyond.
“Compared with viruses and spam, botnets are growing at a faster rate,” said botnet researcher Wenke Lee, an associate professor at GTISC in the report, which was released today at the GTISC Security Summit on Emerging Cyber Security Threats.
And it’s not just your laptop or desktop that’s at risk of botnet recruitment. One of the next big threats will be the bad guys injecting malware onto cellphones to infect them as bots. Those botnets then could be used against the wireless infrastructure.
“Large cellular botnets could then be used to perpetrate a DoS [denial-of-service] attack against the core of the cellular network,” said Patrick Traynor, assistant professor in the School of Computer Science at Georgia Tech and a member of GTISC. “But because the mobile communications field is evolving so quickly, it presents a unique opportunity to design security properly -- an opportunity we missed with the PC.”
Botnet proliferation on computers, as well as on mobile devices like cellphones, and other attacks on mobile devices were among the top five emerging cyber threats the GTISC report and summit highlighted. The other threats are malware, mainly via social networking links; cyber warfare targeted at the U.S. economy and infrastructure; and an evolving cybercrime economy with plug-and-play malware kits and programs, for instance.
GTISC’s Lee said firewalls and intrusion prevention systems can’t necessarily filter bot traffic, which increasingly is sent via HTTP so that it appears to be benign Web communications. Machines can get infected silently, via legitimate Websites booby-trapped with drive-by malware, and bot exploits are stealthier than ever.
“Bots can be delivered to a machine in a variety of ways -- via Trojans, emails, an unauthorized instant message client or an infected Web site. Once installed, bots lie low to avoid notice by antivirus and anti-spyware technologies,” the report said.
But because mobile devices have a shorter lifecycle than a PC -- about two years versus 10 years -- that ultimately could help manufacturers and security vendors better protect them, said Patrick Traynor, assistant professor in the School of Computer Science at Georgia Tech and member of the GTISC. The downside, however, is that battery power limitations on mobile devices could prevent these devices from being able to run security applications properly.
Look for open standards for handset security to make some headway next year, according to the report.
And meanwhile, more fodder on just how bad the botnet threat is to the enterprise: Ryan Naraine, security evangelist for Kaspersky Lab, said in the report that corporate machines are members of some of the biggest botnets. “It takes the average corporation two to three months to apply a Windows patch across all devices, so malware and botnets will continue to take advantage of known vulnerabilities within enterprise environments.”
Kaspersky said there will be a tenfold jump in malware objects this year, mainly due to identity theft and cybercrime focused on stealing data.
Other mobile threats on tap are increased attacks on smart phones as users deploy these devices for financial transactions, according to the report. And VOIP systems will also be abused. “Most people have been trained to enter social security numbers, credit card numbers, bank account numbers, etc. over the phone while interacting with voice response systems,” said Tom Cross, a researcher with IBM ISS’s X-Force team in the report. “Criminals will exploit this social conditioning to perpetrate voice phishing and identity theft.”
And VOIP systems will be at risk of DoS attacks. “Customers will demand better availability from phone service than they would from an ISP, so the threat of a DoS attack might compel carriers to pay out on a blackmail scam,” Cross said.
And even as the legitimate economy tanks, the cybercrime economy is booming. Cyber gangs offer the sale, lease, subscription, and pay-as-you-go malware kits, some with product guarantees and service and support, according to GTISC’s report. “Malware transitioned to the criminal world just over three years ago,” said Gunter Ollmann, chief security strategist for IBM ISS, in the report.
Ollmann says the cyber underground is split into three basic levels: criminals who use these kits to create malware for targeted attacks; skilled developers and technical experts who build components to embed into commercial malware-creation kits; and “managed service providers” who include services with this malware kits to “increase propagation and enabled organized fraud on a global scale, feeding gains back into money laundering chains,” according to the report.
And look out for cyberwarfare to become more a part of the scene in the coming years, going hand-in-hand with traditional military action. Cyberwarfe will "play a more shadowy role in attempts by antagonist nations to subvert the U.S. economy and infrastructure" as well, the GTISC report said.