Monday, October 20, 2008
As many of you already know, the anti-Midas touch of the financial crisis is spreading to the technology sector. Sequoia Capital, one of the largest VC funds in Silicon Valley, gave a presentation that pretty much said become profitable now or pack up and go home. Security seemed to be counter-cyclical during the last bust, with Guardent, @Stake, SecurityFocus, and many others either started or acquired during the downturn. Myself and several other security analyst/bloggers believe that this time, however, is different, and our field will experience the same cutbacks that we will see across the broader tech industry, albeit less severely.
Security spending won’t grind to a halt. People will always need spam filters and anti-virus packages. What I do expect, however, is less product and technology innovations that provide only marginal security improvements in the coming months to years. Much like a homeowner who won’t renovate their basement when the toilet is leaking from the bottom seal, no one is going to pay for a new database security solution when their UTM can barely keep the web compromises down. Anyone who wants to push a new product forward better be solving a preexisting problem in an established market far more effectively and at a lower cost than their competitors for them to have a chance.
It’s not all bad news, though. Downturns are great for attackers! Limited resources means machines will stay online longer, and reduced staffing means they are likely to stay unpatched for greater intervals. Home users will be stretching their budgets even further, and replacing a “perfectly fine computer” is going to be at the bottom of the list. I expect all the distributed attack problems, such as spam driven by bots, to continue to increase as a result.
The bottom line is that we will all be forced to focus on the fundamentals and dispense with products and processes that don’t keep us secure and keep only those products that do so with our current hardware and a minimum of human oversight.
During the third quarter of 2008 we saw a sharp increase in malware being delivered as e-mail attachments. This was surprising as malicious attachments in e-mails are usually not successful in reaching the recipient because they are automatically removed by the Internet Service Provider or by the e-mail client. As a result, malware authors stopped using this approach and moved on to using links in e-mails or automatic downloads via exploits from websites.
The recent attachments were inside an archive, typically a ZIP file which unfortunately isn't filtered by most security solutions. Some of the archives even required a password, making it more difficult for anti-virus solutions to scan them.
The different themes that were used to trick the user into running the file included bills or receipts from a variety of companies like JetBlue and UPS and greeting cards. This approach is not unlike phishing scams where the risk of losing money is used to trick the user into running the file and getting infected.
As the presidential election in the United States nears its climax, criminals are busy devising sensational headlines related to the candidates in order to persuade people to click on spam e-mails. A recent spam run has already set the tone by claiming to reveal a sex scandal involving Senator Barack Obama, the Democratic candidate. The e-mail with the fake news contains an attachment that links to a pornographic video.
In order to conceal the primary intent of the e-mail – which is to infect computers with a trojan that collects information about bank transactions – the video starts playing when the malicious file is downloaded and executed. Consequently, every time Internet Explorer is launched and the user connects to certain banking sites, especially well-known banks in Germany, the trojan collects the information and posts it to the website of a fictional "Medved Hotel" in Finland. The layout of the website looks convincing to unsuspecting users because it has been stolen from a real Finnish hotel.
We expect much more spam with a presidential election theme in the run-up to polling day.
While applauding efforts by the courts and police forces of different countries in challenging cyber crime, Mikko Hypponen, F-Secure's Chief Research Officer, believes that there should be an international agency with the enforcement power to get a grip on the organized online crime.
"The Internet has no borders and online crime is almost always international, yet local police authorities often have limited resources for investigations. Even if the locations of online criminals are discovered, the investigations rarely uncover the full scope of the crime. The victims, police, prosecutors and judges cannot see the full picture and therefore don't know the true costs of the crime," says Hypponen.
"Antivirus and security companies are not law enforcement, nor should they be. They are protecting their customers' computers but little can be done directly by non-governmental organizations to fight the criminals at the heart of the matter. We should consider the creation of an online version of Interpol – 'Internetpol' – that is specifically tasked with targeting and investigating the top of the crimeware food chain," says Hypponen.
Hypponen recognizes that such an organization would clearly face a number of legal and other challenges. For example, malicious code is often created from countries where it is not illegal or not prosecuted. "But if we do not act now to fight the source of crimeware, it will continue to grow stronger and threatens to destroy the current model of Internet business, banking and commerce," he says.
As the international banking crisis shakes up the world economy, leaving consumer's confused as to which bank might be holding their savings account or mortgage this week, phishers are taking advantage of the situation to obtain personal information such as bank account details or credit card numbers.
The US Federal Trade Commission issued an alert last week urging Internet users to be on guard against e-mails that look as if they come from a financial institution that has recently acquired a consumer's bank, mortgage lender or savings and loan association.
"Currently there only seem to be e-mails related to Wachovia Corporation's sale to Citibank being used as bait. The phish is attempting to get the recipient to download a new 'certificate' from a Wachovia phishing site. However, instead of collecting information, this attack will also install a banking Trojan," explains F-Secure Security Advisor Sean Sullivan.
In New Zealand, Owen Thor Walker, 18, known online as "AKILL" and dubbed as the "Kiwi botmaster king" in the international media, escaped a jail sentence in July despite pleading guilty to developing banking trojans that earned an estimated USD 15.4 million to a criminal gang.
The court ordered the teenager to pay damages and costs of about USD 10,800, with the judge describing him as a young man with a "potentially outstanding future" after he cooperated with the police. The judge stated that Walker, who suffers from Asperger's Syndrome, a mild form of autism, was hacking from curiosity rather than criminal intent.
Walker was arrested after an 18 month investigation by New Zealand, Dutch and American authorities. According to TVNZ, Walker collaborated with an American student to infect 1.3 million computers, costing the victims around USD 20 million. Walker is now reportedly being wooed by major computer companies overseas. Local police also said that Walker's "talents" could come in handy.
During the last quarter there have been several interesting legal cases involving Internet crime, which highlight the challenges of bringing cyber criminals to justice.
In the United States, a prolific spammer who had received a long prison sentence saw his conviction overturned by the Virginia Supreme Court in September. Jeremy Jaynes was the first person to be tried and sentenced under an anti-spam law enacted in 2003. Following an appeal, Virginia Supreme Court decided that the state Anti-Spam Law violated the First Amendment to the United States Constitution concerning the right to free and anonymous speech.
The Court documents show that there was no question about Jaynes' guilt. He used several computers, routers and servers to send over 10,000 e-mails within a 24-hour period to subscribers of America Online, Inc. (AOL) on three separate occasions. He intentionally falsified the header information and sender domain names before transmitting the e-mails.
While searching Jaynes' home, police discovered CDs containing over 176 million full e-mail addresses and 1.3 billion e-mail user names. They also confiscated storage discs which contained private account information for millions of AOL subscribers. The AOL user information had been stolen from AOL by a former employee and was in Jaynes' possession.
Just six months ago, the same court upheld the Anti-Spam Law and determined that there is no First Amendment right to spam. The latest reversal has provoked many questions from Internet security commentators.
A teenager who took part in a distributed denial of service attack against the so-called church of Scientology has been charged
Dmitriy Guzner, 18, of Verona, New Jersey, is charged with helping in the attack on Scientologist servers in January. He has agreed to plead guilty to a single felony charge of unauthorized impairment of a protected computer and pay $37,500 in damages.
Guzner identifies himself as a member of the online group called ‘Anonymous’. The group is a loose collection of internet activist who undertake online activities, such as the attack on Scientology (dubbed Project Chanology), the tracking and arrest of suspected paedophile Chris Forcand and the hacking of vice-presidential candidate Sarah Palin’s email.
The Justice Department has said that Guzner will be put on trial in the coming weeks and could face up to ten years in prison.
According to court papers Guzner "knowingly caused the transmission of information, codes and commands and as a result of such conduct, intentionally and without authorization caused damage by impairing the integrity and availability of data, a program, a system and information on a computer system that was used in interstate and foreign commerce and communications, specifically websites belonging to the Church of Scientology, thereby causing loss to one or more persons aggregating at least $5,000 in value."
The attacks were carried out by a variety of people and illustrate the extent to when a small group of individuals can attack organisations which they feel they have a grievance with.
In this case skilled members of the group wrote attack code, which was then sent to ordinary members who implemented the attacks. At the same time other members sent faxes of pure black paper to the group to use up toner and spamming phone lines with crank calls.