From the category archives:

Cyber Crime

Internet security risks test U.S. government preparedness

by Bill Cullifer on February 23, 2010

WorldFocus.org takes a look beyond the headlines at increasing concerns over cyber-security, a problem that was recently highlighted by an online assault on Google from China.

This event added to fears of a digital attack that could cripple the information superhighway. In Washington, former security officials have met to role-play how the government would cope with such an attack.

For more, Martin Savidge interviews James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.

Lewis discusses the readiness of the government to deal with an attack and the likelihood of one taking place. He also talks about how this issue could impact U.S.-China relations.

{ 0 comments }

Beware of the Botnet: Attack hits corporations and agencies

by Bill Cullifer on February 19, 2010

Recent press reports reflect that a significant number of corporations, govt agencies infiltrated by `botnet,’ according to news announcements.

According to Wikipedia, a Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software, but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.

While the term “botnet” can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called zombie computers) running software, usually installed via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.

A botnet’s originator (aka “bot herder” or “bot master”) can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC “bots”. Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server (“C&C”). Though rare, more experienced botnet operators program their own commanding protocols from scratch. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim’s machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.

A bot typically runs hidden and uses a covert channel (e.g. the RFC 1459 (IRC) standard, twitter or IM) to communicate with its C&C server. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a “botnet” is sometimes referred to as “scrumping.”

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently as most script kiddies do not have the knowledge to take advantage of it.

Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated.[4] It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.[5]

According to recent press reports, security experts have found a network of 74,000 virus-infected computers that stole information from inside corporations and government agencies. The unusual thing about the incident is not that it happened but that it was discovered, and it is a reminder of the dangers of having computers with sensitive data connected to the open Internet.

More than 2,400 organizations, including financial institutions and energy companies and federal agencies, were infiltrated by the “botnet,” according to the NetWitness Corp. security firm, which discovered it.

NetWitness didn’t name the companies or agencies whose computers were compromised. The Wall Street Journal said the affected companies included Merck & Co., Cardinal Health Inc., Paramount Pictures and Juniper Networks Inc. Merck and Cardinal Health said in statements Thursday that one computer in each company was among those in the botnet but no sensitive information was taken.

The victims don’t appear to have been specifically targeted, unlike the recent computer attacks on Google Inc. that prompted the Internet search leader to threaten to pull its business out of China. That’s an important distinction, because it shows how online secrets can fall into the wrong hands even when criminals aren’t necessarily looking for them.

“This kind of stuff is out there and it’s pervasive,” said Amit Yoran, CEO of NetWitness and former cybersecurity chief at the U.S. Department of Homeland Security. Parts of the botnet discovered by his firm likely are still active. He said the network appears to be run from computers in Eastern Europe and China, but it’s not certain the perpetrators are there.

Botnets are networks of poisoned PCs that are remotely controlled by hackers and behave like their criminal robots. The PCs are often infected when their owners visit bad Web sites or open malicious e-mail attachments.

Botnets are a major tool for cybercrime. They help criminals amass troves of stolen data that they can sell on the black market or use for their own schemes, such as yanking money from victims’ bank accounts.

The biggest on record is the one created by the Conficker worm. That infected anywhere from 3 million to 12 million PCs running Microsoft Corp.’s Windows operating system and is still active.

The botnet NetWitness discovered used malicious software called “ZeuS” that steals passwords and other online credentials. It’s primarily focused on poaching Internet banking credentials and is well known in the security community.

The fact that so many companies and government agencies were hit generally appears to have been incidental. Yoran said the attackers were targeting specific information rather than specific organizations.

Still, they were very successful, snatching more than 68,000 credentials over four weeks. Most of those credentials were login details for Facebook and Yahoo and other personal e-mail services. On the face of it those aren’t the most sensitive pieces of information, but they can hold the keys to unlocking other types of online accounts and private data.

Security experts who weren’t part of the NetWitness report said the findings illustrate the growing risk from the ZeuS software, whose authors are constantly updating it to evade detection by antivirus software and other security measures.

A bigger concern, Jackson said, is a new version of ZeuS that has appeared in the last few months and is more powerful and even harder to detect.

{ 0 comments }

Web Security Predictions for 2010

by Bill Cullifer on January 3, 2010

Web Security Threats Projected to Grow for 2010

2010 will see increasing Web security threats and are projected to grow to users of social networking and media sites such as Facebook and Twitter, according to security vendor McAfee. “In 2009 we saw increased attacks on websites, exploit cocktails thrown at unsuspecting users, infrastructure failure via natural and unnatural causes, and ‘friendly fire’ become a larger problem than ever.”

The report also warns future users of the Google Chrome operating system to be aware of attacks in HTML 5.

“It really speaks to a Web 2.0 world. People communicate differently today, people transact and pay their bills differently today, and that drives today’s criminals,” ABC Science quoted David Marcus, director of security research and communications for McAfee Labs, which this week released its 2010 Threat Predictions report, as saying. “Bad guys tend to go where the masses go,” he added.

Not only has the volume of threats escalated dramatically, the delivery methods have also become more sophisticated, he said.”With Facebook reaching more than 350 million users, we expect that 2010 will take these trends to new heights,” security vendor McAfee said in its “2010 Threat Predictions” report

{ 0 comments }

PCI DSS Security Standards Council Compliance Survey Results

by Bill Cullifer on September 25, 2009

A recent survey conducted by Imperva and the Ponemon Institute reflects that companies still struggle to protect consumer data.

According to the findings of a survey across more than 500 U.S. and multinational IT security practitioners showing that, despite the Payment Card Industry’s (PCI) Data Security Standard (DSS), companies still struggle with data security, putting consumers at continued risk for identity theft. In fact, 71% of companies surveyed admit to not making data security a top strategic initiative, and 55% admit to only securing credit card information and not sensitive information such as Social Security numbers, driver’s license numbers, and bank account details. However, the survey also found that companies taking a strategic approach to PCI compliance have fewer data breaches.

According to press reports, the survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It’s an industry standard created by major credit card companies that’s designed to protect customer payment data.

The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver’s license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they’re compliant.

According to a PCWORLD interview, “If you go the larger organizations to do business, you are more likely to be secure today,” said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.

The prime reason that companies don’t comply with PCI DSS is cost, Shulman said. “They don’t go to the effort to be compliant because it’s all or nothing, so they currently do nothing,” Shulman said.

Larger companies find it somewhat easier to handle the costs, he said. On average, companies spend about 35 percent of their IT security budgets on PCI DSS compliance.

Payment card companies mandate compliance, and most merchants are supposed to be compliant by now, according to information on the PCI Security Standards Council’s Web site.

The survey turned up some other disconcerting results. Around 10 percent of the respondents who said they were PCI DSS compliant said they weren’t using basic security software such as antivirus, firewalls and SSL (Secure Sockets Layers), Shulman said.

PCI doesn’t prescribe the use of specific software products but instead promotes practices and general advice, such as using a firewall and antivirus. In recent years, vendors have developed products to make the implementation of PCI DSS easier. Still, the result was surprising and indicative of perhaps continuing confusion or difficulty some businesses are having with PCI DSS.

“I would find it very hard to explain why I’m not using SSL as part of my PCI compliance,” Shulman said. “It seems to me that there is too much room for misinterpretation of the requirement, and companies are abusing it.”

PCI DSS is in the process of being updated, and the survey will be used as input. The PCI Security Standards Council, which was set up by major credit card companies in 2006, is collecting feedback through Oct. 31 on changes to a new version of the standard, due for release in September 2010.

Today’s Web Pro Minute is sponsored by the Adobe Corporation.

Adobe Announces Free eSeminars for Web Professionals

The time is now to be brilliant with your web design and development. Take an hour to join us for complimentary Adobe® Creative Suite® 4 online eSeminars and discover how to redefine the extraordinary in web design and development with Adobe® Creative Suite® 4 Web Premium Software.

Register Today for the Adobe Creative Suite 4 eSeminar Series for Web Professionals

{ 0 comments }

Cyber Fraud: A Few Fast Facts

by Bill Cullifer on September 16, 2009

Greetings WOW Members and Web Professionals everywhere!

Last week we podcasted an interesting interview with Laura Mather, PhD Founder and VP of Product Marketing Silver Tail Systems an anti fraud company and a volunteer for the anti phishing working group APWG. The topic was the size and scope of cyber crime and what to do about it. To add additional perspective to the topic, for today’s podcast, I’ll hone in on a few of the specific online fraud details that you should be aware of.

According to an 2008 report on Cyber Fraud conducted By CyberSource.com, “Managing online fraud continues to be a significant and growing cost for merchants of all sizes.”

According to the surveys executive summary, total losses from online payment fraud in the U.S. and Canada have steadily increased and in 2007, the report estimates that $3.6 billion in online revenues will be lost to online fraud up from $3.1 billion in 2006.

A few key findings:

* The percent of accepted orders which are later determined to be fraudulent increased slightly.
* The share of incoming orders merchants decline to accept due to suspicion of payment fraud was also up slightly.
* Merchants with order rejection rates near or above the 4.2% rate are rejecting a significant number of valid orders.
* Chargeback’s Understate Fraud Loss by as Much as 50%
* International orders is over two-and-one-half times as high as domestic orders.
* Merchants also reject international orders at a rate two-and-one-half times higher

Whether you’re designing or developing for the eEnterprise or small business, it would be worth your time to review the entire survey.

{ 0 comments }

Phishing, Cyber Crime and the Ugly Truth

by Bill Cullifer on September 1, 2009

 
icon for podpress  Phishing, Cyber Crime and the Ugly Truth : Play Now | Play in Popup | Download

 
icon for podpress  Phishing, Cyber Crime and the Ugly Truth : Play Now | Play in Popup | Download

Greetings Web professionals everywhere! The topic for today’s podcast is Phising, Cyber Crime, the ugly truth and what we need to know and do about it. To assist us in better understanding the size and the scope of the problem, I reached out by telephone to Laura Mather, PhD Founder and VP of Product Marketing Silver Tail Systems an anti fraud company and a volunteer for the anti phising working group APWG.

In this three minute podcast, Dr. Mather, a former EBay executive provides key insights to how prevalent the issue has become, what we need to know as Web professionals and anti phishing educational resources we can share with our customers. She also ask that we participate with feedback as well.

According to Wikipedia, Phishing in the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

A phishing technique was described in detail in 1987, and the first recorded use of the term “phishing” was made in 1996. The term is a variant of fishing. probably influenced by phreaking, and alludes to baits used to “catch” financial information and passwords.

Today’s Web Pro Minute is sponsored by the crew at An Event Apart Conference taking place in Chicago, Il October 2009 at the Sheraton Hotel and Towers. The conference is from the makers of A List Apart: An Event Apart is an intensely educational two-day conference for passionate practitioners of standards-based web design. Save $100 when you
register with discount code AEAWOW. Check it out today and save!

{ 0 comments }