Tuesday, November 18, 2008
A University of the Cumberlands student is accused of hacking into other students' accounts and using the information to blackmail them.
Sungkook Kim, 23, is charged with identity theft and unlawful access to a computer, according to a press release from the Kentucky Attorney General's office. The office's cybercrime unit conducted a joint investigation with Williamsburg police.
The investigation began after a female student received an anonymous message about personal information that had been stolen from her e-mail account. The e-mail threatened to expose that information unless she complied with some specific demands.
Investigators said Kim pirated another person's wireless router to send the threatening e-mails and that he had installed spyware on college library computers to capture logon IDs and passwords for students and faculty, according to the attorney general's statement.
Additional charges could be filed. Kim is being held on a $100,000 bond.
As information has increased in value with the dynamism of the information age, so too have operations against it. Information operations used to be the purview of the military, but now they have become an element of cyberspace in general. Thus, the threats that once were limited to the military realm now are appearing in civil government and commerce. As military-style information operations begin to wreak havoc in civilian cyberspace, military-style countermeasures will need to be deployed.
The flip side of this coin is that the military is making greater use of information technologies and capabilities drawn from the commercial sector. So, the vulnerabilities that have characterized civilian cyberspace now are moving into the military realm. This cries out for commercial solutions to protect both military and civilian information assets.
And the threats to cyberspace are becoming more sophisticated across the board. The melding of useful cyberspace capabilities has its match in information operations. Cybermarauders ranging from basement hackers to foreign governments are adopting increasingly similar methodologies. Information operations now are being waged by virtually anyone with malice of intent in cyberspace.
In some cases, diverse malevolent groups are joining forces to wage their own forms of information operations for profit or political gain. Organized crime long has known the value of hacking into financial databases. Their efforts could be supplemented by a hostile government or terrorist group that seeks to carry out operations that cripple or even collapse a nation’s economy. A teaming arrangement could bring each partner greater success in their endeavors—more money for the crime organization, more geopolitical impact for the hostile government.
The good news is that civil government and the commercial sector are aware of the threat and are taking steps to defend against it. In the United States, the executive branch is pushing guidelines to promote standards for the private sector to develop security solutions to protect the critical infostructure. For its part, the commercial sector recognizes the need and is working with government to meet the challenge.
Both groups hope to draw from the military’s expertise in defensive information operations, and the military stands to gain from the commercial solutions that will apply to its commercial information capabilities. The military already is establishing new facilities and methodologies that go beyond traditional information operations. Its goal is to break the existing mold of fighting a holding action and actually move ahead of the cyberspace attacker.
Calling the information operations threat to cyberspace a global one constitutes the use of an obsolete concept. By definition, everything in cyberspace is global because its reach knows no geographical boundaries. Geographical characteristics do not apply in the least. So, to say that information operations in cyberspace are global in nature is akin to describing outer space in two dimensions.
Similarly, attempting to delineate parts of information operations—some of which, such as electronic warfare, predate the concept of information operations—is useful only for execution. The issue no longer is the means; the issue is the target and the goal. The target is information, and the goal may range from minor disruption to data theft, espionage and sabotage. Whichever goal it may be, as information has become the new currency of this century, information operations now reach into every application of cyberspace. And, all aspects of cyberspace must gird for the fight.
Unidentified miscreants have launched a denial of service attack on a UK-based anti-fraud website.
Bobbear.co.uk, which fights money laundering by warning about groups attempting to recruit mules, was left unreachable on Monday after coming under a distributed denial of service attack. Net security firm Sophos reports that the site was taken out by an assault from a botnet of compromised PCs that began late on Sunday. The timing of the assault coincides with the launch of Get Safe Online week in the UK.
It's pretty clear that Russian criminals are behind the attack and it is still continuing, site admin Bob Harrison told El Reg. "Undoubtedly it is simply a response to the work I do in highlighting the mainly Russian money laundering and reshipping frauds that are currently plaguing the internet and wrecking the lives of innumerable victims."
Harrison has reported the attack to the Met's computer crime unit and to Russian domains linked to the assault, more details of which can be found here.
It's not the first time the site has come under fire from cybercrooks. In October 2007 a spam campaign sought to discredit Bobbear by bombarding all and sundry with supposed begging requests. In reality the "Joe Job" junk mail messages, asking for donations through online payment service e-Gold, were nothing to do with site administrator Bob Harrison or Bobbear.co.uk.
UK hosts Fasthosts unwittingly aided fraudsters by temporarily suspending the Bobbear.co.uk domain in response to complaints about the fraudulent emails. ®
Internet users are being warned to stay vigilant by researchers who believe that next Monday could be the worst day the year for computer attacks.
After analysing information on viruses and internet worms taken from more than 500,000 machines around the world, security experts at PC Tools have pinpointed November 24 as the potential peak of malicious software activity for 2008.
Data from 2007 showed that the high point of action from viruses, worms and other internet-based attacks came three days before America's Thanksgiving holiday, leading them to suggest that the same day could prove the bleakest 24 hours of this year.
The company says the increase in virus activity could be the result of internet shopping in the run-up to Christmas, as millions of users begin going online to purchase gifts for their friends and family.
With the chance for criminals to access financial details, online shoppers make an attractive target for the writers of malware.
The number of people shopping online this Christmas is expected to grow again this year, with internet sales in the UK alone predicted to hit £13.16bn – an increase of 15% over 2007.
More people are expected to use the web for their shopping as a way of finding lower prices to help them beat the credit crunch.
But while security experts are expecting the traditional increase of malware over November and December, they have also warned of another source of potential attacks. Spammers and criminals have attempted to use the popularity of American president-elect Barack Obama as a way to trick users into downloading malware.
A flood of emails purporting to link to a video of Obama's acceptance speech were actually connected to a trojan horse program which would compromise the target's PC. Meanwhile, a separate burst of spam messages contained a file called BarackObama.exe, which, when activated, places a rootkit on the victim's machine and opens it up to hackers around the world.
The dramatic fall in spam traffic reported last week after alleged rogue ISP McColo was taken offline will only be a temporary reprieve and could actually generate a new wave of Trojans, experts have warned.
ISPs disagree on the global percentage drop caused by the shuttering of California-based McColo last Tuesday, with estimates given by those contacted by Techworld ranging from 50 to 80 percent, but even the lower figure is still an unprecedented fall in such a short space of time. It appears that even those who were aware of its use as a hosting port had not guessed that a single ISP could be behind such a huge chunk of the world's spam.
"Our servers haven't been so relaxed for months," said Richard Cox, CIO of respected spam-fighting organisation, Spamhaus, ruefully. "This proves how important it is for the law to get at this sort of criminality."
Nevertheless, Cox doubted that the improvement would last long, and could actually lead to a rise in Trojan attacks as spammers using McColo to host botnet control infrastructure, attempted to reconstitute their networks elsewhere in the coming weeks.
Paul Wood of MessageLabs said his company had also seen spam dipping sharply, which had hit specific troublesome botnets hard.
"We documented a massive drop in spam volume to levels, eight times less than typical volumes for a period of 12 hours, immediately following the takedown before spam levels began to rise again," he said.
"Further analysis of our metrics would suggest there has been an 80 percent drop from Mega-D and 60 percent from Srizbi; Rustock is down by 50 percent and Asprox down by 80 percent. Overall botnet traffic has reduced by approximately 30 percent in the 24 hours following the takedown."
In fact, McColo was the third ISP of significance to the criminal world to face disruption in a matter of weeks, he said, referring in particular to the de-peering of Intercage by ISPs in September.
How the botnet controllers reacted in the coming weeks would depend on how easily they could regain control of compromised, ‘zombie' PCs. If that proved hard, it was possible that new PCs would need to be hit with Trojans in order to start new botnets from scratch.
"It depends on the botnet in question and whether the bad IPs at McColo can be re-activeated by another rogue ISP sooner or later," he said.
Adam O'Donnell of Cloudmark was less convinced that the reduction in spam volumes held much significance for the average user, especially business users sitting behind filtered connections.
"We have seen a drop in IP connection attempts that would have been dropped anyway," he said. "This is not like cleaning up a mess in the street," and the problem would return once the botnetters had found new hosters. "I give it two weeks," he said.
Despite the relentlessly upward movement in spam volumes over time, the occasional fall is not unheard of, with a single botnet going offline reportedly reducing traffic in early 2007.
According to Ed Rowley of recently-merged spam filtering outfit Marshal8e6, McColo could have a positive long-term effect in at least one way, that of convincing the authorities that tacking spam was now possible. In the past, the industry had been reluctant to shut down other ISPs, regardless of evidence of wrong-doing, but this might now change.
"There is a strong feeling that this [closing problem ISPs] is not a bad thing," he said.
An ISP associated with online crime and child pornography briefly came back online over the weekend before being cut off again, according to security vendors.
McColo, whose servers are in San Jose, was cut off from the Internet last week by its upstream providers after an investigation by computer security analysts and The Washington Post.
But McColo came back online on Saturday, after connecting with Swedish ISP TeliaSonera, which has a router in San Jose, according to Ross Thomas, writing on the blog for security vendor Sophos.
After complaints, TeliaSonera quickly moved to cut off McColo again, Thomas wrote. But the brief renewal in connectivity did allow cybercriminals running botnets out of McColo's networks to take steps to preserve their operations.
McColo has been identified as hosting the command-and-control servers for no less than five large botnets that are responsible for the majority of the world's spam. When McColo dropped offline, analysts found that spam levels dropped up to 75%.
Spam takes a heavy toll on IT infrastructure, consuming bandwidth and potentially exposing users to malicious software.
When McColo came back online, it appeared that the hackers who controlled the command-and-control servers for a botnet called Rustock moved the controls for that botnet to a data center in Russia, according to the blog for security vendor FireEye.
"We believe that the Rustock controllers don't expect McColo to be very stable in the near future, so they are hedging their bets and moving the C&Cs to a different provider," according to FireEye.
PCs infected with malicious software that enables them to be part of the Rustock botnet were also at least partially updated. The update would allow the computers to report to the new Russian command-and-control server to receive orders.
Since McColo was online for only a short period, "there's no way that the whole botnet was updated, but no doubt they got a good-sized piece," FireEye said.
Security analysts have predicted that spam levels will rise again as hackers who used McColo move their operations to other ISPs that are willing to protect spammers and other criminal enterprises, such as those who sells bogus security software or pharmaceuticals.
"Rustock is estimated to be capable of sending 30 billion spams per day," Thomas wrote. "How big an increase we'll see depends largely on the number of zombie PCs the botnet's controller was able to reach during McColo's temporary resurrection."