Quote of the day
Those who want to succeed will find a way, those who don`t will find an excuse.
Leo Aguila
IT and Related Security News Update from Centre for Research and Prevention of Computer Crimes, India (www.crpcc.in) Courtesy - Sysman Computers Private Limited, Mumbai
Quote of the day
Those who want to succeed will find a way, those who don`t will find an excuse.
Leo Aguila
Quarantine
To move an infected file, such as a virus, into an area where it cannot cause more harm. Antivirus softwares come with quarantine options so that the user also can keep track of virus activity.
CHINK : German Hackers Claim to Bypass Chinese Firewall Security
By John Leyden
7th August 2008
http://www.theregister.co.uk/2008/08/07/torbrowser_olympics/
German hackers have constructed a route around the great firewall of China. The Chaos Computer Club said its technology will help athletes and journalists travelling to Beijing for the Olympic Games to circumvent censorship.
Visitors to China are being offered USB sticks containing a browser that connects via the TOR proxy network. These "Freedom Sticks", regular USB drives with pre-installed copies of the TorBrowser and Torprojects software, will only be available during the two-week period of the games. The Chaos Computer Club has also set up a dedicated micro-site that offers separate downloads of the software at http://chinesewall.ccc.de/freedomstick-en.html.
In a parallel move, German digital rights activist group FoeBuD is offering similar "privacy dongles" through its web store for sale (https://shop.foebud.org/product_info.php?pName=privacydongle-torpark-auf-usbstick-p-151) at €20.
TOR point
TOR is a worldwide network of servers, run by volunteers, that provides a means to anonymise data sent over the internet. Information sent over the network is encrypted and routed through different servers on the TOR network.
China uses a network of filtering and blocking technologies, mostly supplied by Western technology firms, to block access to sites about Falun Gong, reports of the Tiananmen Square protests of 1989 and the Tibet independence movement. Until recently news reports on the BBC were also blocked.
Using proxies to get around these controls and browser sites isn't hard (at least for the tech-savvy) but maintaining anonymity is a problem, which is where the TorBrowser software and freedom sticks come in. Using the technology to send data out of China anonymously is another potentially useful application. The disadvantage of slower download speeds that come from using an anonymiser network is a minor drawback in comparison.
Chaos Computer Club is offering the technology partly to offer an easy way around Chinese censorship restriction but also to make a political point much closer to home.
Controversial new German laws on data retention may make it a criminal offence to operate TOR network nodes. The regulations are the subject of an appeal to the German Federal Constitutional Court.
"We are calling upon the German authorities to stop criminalizing the operators of servers of the TOR network. The behavior of the authorities is detrimental to the people in oppressive states, whose lives are at risk. China is only one of many examples", said Björn Pahls of the Chaos Computer Club.
JAILED : Credit Card Scammer Jailed in UK
Daily Mirror, SriLanka
08-08-08
http://www.dailymirror.lk/DM_BLOG/Sections/frmNewsDetailView.aspx?ARTID=22745
A Sri Lankan petrol station cashier was jailed in Britain on Wednesday for helping to defraud an entire British village.
Abdul Samad Mohamed Raik cloned more than 500 debit or credit cards to steal £175,000 in a global fraud allegedly driven by links to a guerrilla group in Sri Lanka.
Barely a single household in Houghton on the Hill, Leicestershire, escaped the scam, which was carried out over a two-month period late last year.
Residents in the village, which has a population of around 1,500, had no idea that they had been targeted until learning from their banks that their accounts had been plundered all around the globe.
Leicester Crown Court heard on Wednesday how Raik, a Sri Lankan national, used a fake card reader to copy the card details of both villagers and motorists passing through the area.
Fake cards were then used to withdraw cash from the customers' accounts in countries all around the world including Australia, Senegal, India, Canada and the Philippines.
Although some attempts to withdraw money were refused, other victims of the scam lost cash which was withdrawn on the same day at locations hundreds of miles apart.
Justin Wigoder, prosecuting, said the owner of Houghton Garage, Jim Funnell, had no idea what was going on while Raik was at the till. Raik, 33, worked at the village's Jet filling station and its shop for 13 months and carried out the fraud between October and December last year.
He left his job at the end of 2007 when the scale of the scam became clear to locals.
He gave himself up to police in March. He claimed he became involved after running up a debt with a loan shark who was linked to the Sri Lankan guerrilla group the Tamil Tigers.
Raik told police he was given the cloning equipment and ordered to use it to pay off what he owed - and more besides.
The organisers also provided him with a fake Indian passport and told him he could use it to flee the country afterwards, he claimed.
Raik was jailed for two years and nine months after admitting obtaining property by deception and possessing a false passport. Sentencing him, Recorder Duncan Smith said Raik was guilty of a 'gross breach of trust' towards Mr Funnell, who 'relies on the good faith of his staff and on the custom his customers bring him'.
VULNERABILITY : Internet flaw a boon to hackers
07-Aug-2008
http://afp.google.com/article/ALeqM5jGvRLgfyaXN2UjsultjZ5KjVy_-w
LAS VEGAS, Nevada (AFP) — Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web.
"There is bunch of weird (stuff) going on out there right now," expert Dan Kaminsky told AFP, confirming that attacks are being launched online despite efforts to conceal and patch the vulnerability in the Internet's foundation.
Kaminsky, the director of IOActive penetration testing, was met with applause and cheers when he stepped to a podium at the premier Black Hat conference to reveal details of an attack that is a boon to ill-willed hackers.
An elite squad of computer industry engineers labored in secret to solve the problem, and released a software "patch" in early July but sought to keep details of the vulnerability hidden until Black Hat to give people time to protect computers from attacks.
The Domain Name System (DNS) flaw was figured out and spread online within two weeks of the patch's release and US telecom giant AT&T was the first confirmed victim of an attack.
Kaminsky said that while businesses are still hustling to protect their Internet traffic, only 15 percent Fortune 500 companies have "done nothing" to defend their computers.
"How do you force a server to 1.badguy.com?" Kaminsky asked rhetorically as he addressed the crowd. "Oh, let me count the ways. God, it's good to be finally able to talk about this stuff."
Kaminsky stumbled upon the DNS vulnerability about seven months ago and reached out to industry giants to collaborate on a solution.
DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.
The vulnerability allows "cache poisoning" attacks that tinker with data stored in computer memory caches that relay Internet traffic to its destination.
The flaw has existed since 1983 and may well have been exploited without victims noticing.
The vulnerability also lets hackers hijack emails and supposedly secure online transactions.
The potential for using it as a weapon in nation-sanctioned cyber war or organized crime sprees were "wide open," said Jerry Dixon, former director of cyber security for the US Department of Homeland Security.
"I've spent the last month terrified of large companies having all their email stolen because of a bug I found out about," Kaminsky said.
The vulnerability is centered in servers used by companies to access the Internet and handle email.
Home computer users whose online activities are channeled through Google, Yahoo, Microsoft or other major Internet properties should be safe because those firms have been alerted to the problem, according to Kaminsky.
"Most home users are more likely than not operating in a protected environment," Kaminsky said. "It is more likely they will be less protected at work that when they are at home."
That is because some companies have yet to safeguard their computer networks.
The patch is a temporary fix and doesn't defend against every kind of what is referred to as a "man in the middle" attack.
The US Computer Emergency Readiness Team (CERT), a joint government-private sector security partnership, is among the chorus urging people to quickly protect computers linked to the Internet.
Kaminsky built a web page, www.doxpara.com, where people can find out whether their computers have the DNS vulnerability. On Wednesday, he released details of the vulnerability on the website.
"We have to get better about fixing the infrastructure," Kaminsky said. "We got lucky fixing this bug but may not be so lucky next time."
In a warm touch, Kaminsky's grandmother Raia Maurer baked cookies for the security experts attending her grandson's talk.
"I'm so proud of him," Maurer said. "He explained it so even I can understand it."
ABUSE : Google Sites exploited to bypass spam filters
By Matthew Broersma,
ZDNet UK
06/Aug/2008
http://www.zdnetasia.com/news/security/0,39044215,62044570,00.htm
Spammers have added Google Sites to the arsenal of online tools used to get around junk-e-mail filters, according to a study published on Tuesday by messaging security firm MessageLabs.
Spammers had already been making use of Google Docs, Google Page Creator and Google Calendar as spam-hosting facilities, but Google Sites is a recent addition, according to the MessageLabs Intelligence Report for July 2008. Junk e-mailers are using the tool to automatically create Web pages with names composed of a string of random numbers and letters, resulting in an address that is more difficult for signature-based antispam tools to block, MessageLabs said.
The Google Sites abuse indicates that spammers are becoming more advanced at getting around the Captcha (Completely Automated Public Turing test to tell Computers and Humans Apart) mechanisms used to defend against the automated sign-up tools frequently used by junk e-mailers, said MessageLabs' chief security analyst, Mark Sunner.
"While Google Sites spam accounts for only one percent of all spam currently, we anticipate that this technique's popularity will rival that of its predecessors: Google Docs, Calendar and [Page Creator] spam," Sunner said in a statement.
The report found that the number of new, malicious Web sites blocked each day has increased by 91 percent, from 2,076 in June, to a daily average of 3,968 in July, with the increase largely due to Web sites linked to SQL injection attacks. This particular form of Web-based threat is now at record levels, MessageLabs said.
The study found a new form of spam that is generated by botnets controlled by the Storm worm. The spam automatically downloads a rogue anti-spyware program called Antivirus XP 2008. The program displays a false list of malware infecting the user's system and demands the purchase of a license.
Out of all the Web-based malware intercepted in July, 83.4 percent was new, MessageLabs said.
Analyzed by the industry sector of the organization receiving the junk e-mail, MessageLabs found that spam levels have actually decreased for all except the non-profit sector, in which spam rose by 5.8 percent to account for 82.2 percent of all e-mail.
Quote of the day
No one is more dangerous than one who imagines himself pure in heart; for his purity. by definition is unassailable
James Baldwin
PUP
Acronym for potentially unwanted program
PUP or PUPs is a term used to describe unwanted programs such as Trojans, spyware and adware, along with other malware which may compromise your privacy. Some antivirus and PC security software packages, like McAfee VirusScan, will scan for and protect your system against PUPs. The term PUP was first used by persons at McAfee's Avert research lab to avoid any legal issues that may arise from calling these types of applications "spyware".
AMBULANCE CHASER : Beijing Olympic ticket scam shut down
Sue Marquette Poremba
August 05 2008
http://www.scmagazineus.com/Beijing-Olympic-ticket-scam-shut-down/PrintArticle/113433/
The U.S. federal courts shut down two websites that claimed to sell tickets to the Beijing Olympics, but instead scammed unsuspecting sports fans.
The sites, beijingticketing.com and beijing-tickets2008.com, appeared to be legitimate ticket brokers, but instead of supplying the tickets, the owners of the sites charged hundreds of credit card accounts. The scam affected people around the world, including the parents of members of Austrailia's Olympic team.
Apparently, the International Olympic Committee had been alerted to the scam several months ago. As of Tuesday morning, the sites were inaccessible.
This type of scam has become relatively common, Fred Felman, CMO of MarkMonitor, told SCMagazineUS.com on Tuesday.
“We see it all the time,” Felman said, “especially on ticket and auction sites.”
He advised that consumers always try to use the ticket brokers recommended by the event itself.
“Or, when in doubt, read the comments, if there are any," he added. "If every comment is positive and many of them are poorly written, that should raise a red flag that the site isn't legitimate.”
The loss of hundreds of dollars thought to be spent on tickets is only the tip of the iceberg, Sam Masiello, director of threat management at MX Logic, told SCMagazineUS.com.
“Not only are people out the money for event tickets, their credit card information, names and addresses are in the hands of crooks,” Masiello said. “While many of these people think all they've lost is the amount spent on tickets, the truth is, they are at risk of having their identity stolen.”
UNSECURE : Fakeproof e-passport is cloned in minutes
Steve Boggan
The Times, London
August 6, 2008
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.
Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.
In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports.
The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.
Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control.
The tests suggest that if the microchips are vulnerable to cloning then bogus biometrics could be inserted in fake or blank passports.
Tens of millions of microchipped passports have been issued by the 45 countries in the belief that they will make international travel safer. They contain a tiny radio frequency chip and antenna attached to the inside back page. A special electronic reader sends out an encrypted signal and the chip responds by sending back the holder’s ID and biometric details.
Britain introduced e-passports in March 2006. In the wake of the September 11 attacks, the United States demanded that other countries adopt biometric passports. Many of the 9/11 bombers had travelled on fake passports.
The tests for The Times were conducted by Jeroen van Beek, a security researcher at the University of Amsterdam. Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organisation to test them. It is also the software recommended for use at airports.
Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.
A baby boy’s passport chip was altered to contain an image of Osama bin Laden, and the passport of a 36-year-old woman was changed to feature a picture of Hiba Darghmeh, a Palestinian suicide bomber who killed three people in 2003. The unlikely identities were chosen so that there could be no suggestion that either Mr van Beek or The Times was faking viable travel documents.
“We’re not claiming that terrorists are able to do this to all passports today or that they will be able to do it tomorrow,” Mr van Beek said. “But it does raise concerns over security that need to be addressed in a more public and open way.”
The tests also raise serious questions about the Government’s £4 billion identity card scheme, which relies on the same biometric technology. ID cards are expected to contain similar microchips that will store up to 50 pieces of personal and biometric information about their holders. Last night Dominic Grieve, the Shadow Home Secretary, called on ministers to take urgent action to remedy the security flaws discovered by The Times. “It is of deep concern that the technology underpinning a key part of the UK’s security can be compromised so easily,” he said.
The ability to clone chips leaves travellers vulnerable to identity theft when they surrender their passports at hotels or car rental companies. Criminals in the back office could read the chips and clone them. The original passport holder’s name and date of birth could be left on the fake chip, with the picture, fingerprints and other biometric data of a criminal client added. The criminal could then travel the world using the stolen identity and the original passport holder would be none the wiser.
The Home Office said last night that it had yet to see evidence of someone being able to manipulate data in an e-passport. A spokesman said: “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”
The International Civil Aviation Organisation said: “The PKD ensures that e-passports used at border control points . . . are genuine and unaltered. In effect it renders the passport fool-proof. However, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.”
Going biometric
v 1999 International Civil Aviation Organisation begins study into possibility of worldwide use of travel documents carrying biometric data
v 2002 After 9/11 US announces all passports issued from 2006 and used to enter the country must contain biometric information or holder will require a visa
v 2006 Britain and many EU countries introduce biometric passports
v 2008 45 countries have introduced biometric passports. 100 million have been issued globally
CHARGED : 11 charged for hacking and credit card fraud
By RODRIQUE NGOWI and ANNE D'INNOCENZIO
AP
06 August 2008
http://ap.google.com/article/ALeqM5iL9Fn3VNKRc00RHOLhI-cC-qEVwwD92CHFGG1
BOSTON (AP) — Eleven people, including a U.S. Secret Service informant, have been charged in connection with the hacking of nine major retailers and the theft and sale of more than 41 million credit and debit card numbers, the Justice Department announced Tuesday.
The data breach is believed to be the largest hacking and identity theft case ever prosecuted by the Department of Justice, which said the suspects were charged with conspiracy, computer intrusion, fraud and identity theft.
Three of those charged are U.S. citizens while the others are from places such as Estonia, Ukraine, Belarus and China.
The indictment returned Tuesday by a federal grand jury in Boston alleges that the suspects hacked into the wireless computer networks of retailers including TJX Cos., BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW and set up programs that captured card numbers, passwords and account information.
"They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves," Attorney General Michael Mukasey said at a news conference. "And in total, they caused widespread losses by banks, retailers, and consumers."
Mukasey called the total dollar amount of the alleged theft "impossible to quantify at this point." U.S. Attorney Michael J. Sullivan said that while most of the victims were in the United States, officials still haven't identified all the people who had a card number stolen.
"I suspect that a lot of people are unaware that their identifying information has been compromised," he said.
Sullivan said the alleged thieves weren't computer geniuses, just opportunists who used a technique called "wardriving," which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called "sniffer programs" that captured credit and debit card numbers as they moved through a retailer's processing networks.
The information was stored on two servers in Ukraine and Latvia — one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.
The heist was a black eye for retailers like TJX. The company initially disclosed the data breach in January 2007 but said a few months later that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. Court filings by some banks that sued TJX put the number of cards affected at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the suit.
In May, TJX said it won support from MasterCard-issuing banks for a settlement that will pay them as much as $24 million to cover costs from the breach. A similar agreement reached last November with Visa-card issuing banks set aside as much as $40.9 million to help banks cover costs including replacing customers' payment cards and covering fraudulent charges.
According to the indictments unsealed Tuesday, three of the defendants are U.S. citizens, one is from Estonia, three are from Ukraine, two are from China and one is from Belarus. One individual is known only by an alias online, and his place of origin is unknown.
At a press briefing in San Jose, Calif., Homeland Security Secretary Michael Chertoff said the non-U.S. citizens under indictment were part of an international stolen credit and debit card ring.
The ring operated in mainly in Eastern Europe, the Phillipines, China and Thailand, and the alleged foreign conspirators remained outside the U.S., Chertoff said.
The thefts were criminal actions committed for the personal gain of the defendants, who investigators did not consider a national security threat, Chertoff said.
Still, he said, their alleged crimes demonstrated the weaknesses of cybersecurity in the U.S.
"Today's indictments are a reminder of a growing threat that every American faces in the 21st century — the fact that each individual's greatest asset is their names, their identity," Chertoff said.
In the Boston indictment, the alleged ringleader Albert "Segvec" Gonzalez of Miami was charged with computer fraud, wire fraud, access device fraud, aggravated identity theft and conspiracy. Gonzalez, who is in custody in New York, faces a maximum penalty of life in prison if he is convicted of all the charges.
Gonzalez was a U.S. Secret Service informant who helped the agency take over a Web site being used to transmit stolen identifiers and stolen credit card numbers, U.S. Secret Service Director Mark Sullivan said at the news conference.
"That was the first time ever that a computer system was wiretapped," he said.
But he said the Secret Service later found out that Gonzalez had also been feeding criminals information about ongoing investigations — even warning off at least one person.
"Obviously, we weren't happy that a person working for us as an informant was double-dealing," Mark Sullivan said.
Indictments were also unsealed Tuesday in San Diego against Maksym "Maksik" Yastremskiy of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov of Sillamae, Estonia. They are charged with crimes related to the sale of the stolen credit card data.
Yastremskiy was arrested when he traveled to Turkey on vacation in July 2007. He is facing related Turkish charges, and U.S. officials said they have requested his extradition.
Justice Department officials said Suvorov was arrested on the San Diego charges by German officials in March when he traveled there on vacation. He is in custody awaiting the resolution of extradition proceedings.
Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname "Delpiero" were also unsealed in San Diego.
A Justice Department spokeswoman said those three suspects, together with five others, are still at large. Officials did not give an arraignment date for Gonzalez.
In May, federal prosecutors in New York indicted Yastremskiy, Suvorov and Gonzalez on 27 counts of fraud and identity theft. The charges stemmed from allegations that they hacked into a national restaurant chain's computerized cash registers and stole credit card information from customers. Eleven Dave & Buster's restaurants around the United States suffered at least $600,000 in losses, prosecutors said.
It was not immediately possible to reach Yastremskiy, Suvorov and Gonzalez for comment and it was not clear if they have legal representation.
Also see
http://www.scmagazineus.com/Ring-responsible-for-TJX-mega-breach-eight-others-busted/article/113415/
CAUGHT : Dutch botnet herders arrested
By Jan Libbenga
4th August 2008
http://www.theregister.co.uk/2008/08/04/dutch_botnet_herders_arrested/
Dutch police have arrested two Dutch brothers suspected of running a botnet controlling 40,000 to 100,000 computers, with only a small portion (1,100 computers) based in the Netherlands.
The FBI has been investigating this case for a while before contacting the Dutch authorities. The arrests were made shortly after the two young bot-herders from the Frisian town of Sneek sold their network of compromised machines to a person in Brazil for €25,000 on Tuesday. The 35-year-old Brazilian man from Taubate (near Rio de Janeiro) has also been arrested and is awaiting extradition to the US.
The FBI hasn't revealed what the botnet was going to be used for, but Brazil along with Turkey and Russia hosts the highest number of zombies worldwide. Most botnets are exploited for denial-of-service attacks, click fraud, spamdexing and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.
The younger 16-year-old brother has been released awaiting futher trial while the main suspect, 19, had to appear before a judge in Rotterdam on Friday.
In 2005 Dutch police arrested a trio of young men for creating a 1.5 million machine botnet, allegedly used to extort a US company and distribute spyware.
Quote of the day
Success is how high you bounce when you hit bottom.
George S. Patton
pulsing zombie
A form of DoS attack known as a degradation-of-service attack, as opposed to a denial-of-service attack. Unlike a regular zombie that paralyzes a system by inundating it with a steady stream of attack traffic, the pulsing zombie attacks with irregular small bursts of attack traffic from multiple sources on a single target over an extended period of time. Pulsing zombie attacks are more difficult to detect and trace because since they are slow and gradual they do not immediately appear as malicious.
DEVELOPMENT : Researcher demonstrate new hacking techniques
By Dennis Fisher, Executive Editor
SearchSecurity.com
31 Jul 2008
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1323408,00.html
Analysts planning to take apart a piece of malware to get a look at its inner workings have any number of techniques at their disposal. But these tactics are well-known in the hacker community as well, and they have become less effective over time as attackers have learned to evade them.
At the Black Hat conference next week, Billy Hoffman, a researcher who has done work on application security and JavaScript security, will demonstrate several new techniques that malware authors can use to shield their programs from analysis. The techniques take advantage of some of the special capabilities of JavaScript, a language that has become a favorite of malware authors of late.
"None of the existing sandboxes are sophisticated enough to circumvent these techniques. That's exactly why I want to talk about it publicly," Hoffman said. "If I figured this out, you better believe other people have. The fact that it's not public means they just haven't told anyone."
Hoffman, manager of the Web Security Research Group at HP Software Inc., plans to discuss five new tactics he's developed, most of which enable JavaScript malware to detect whether it's actually running in a full browser, or just an emulated browser inside a sandbox. For example, JavaScript gives authors the ability to define a block of code to act as an error handler. When a sandbox comes across code with syntax or runtime errors, it typically will stop running. A browser, however, will run the code and run the error handler. So, if malware can discover that the environment it's running in can't handle the error, it can identify the environment as not being a full-on browser and simply shut down.
"Some malware could have deliberate syntax errors that force the error handler to run and clean things up," Hoffman said. "If that doesn't run, the malware knows it's in a sandbox."
Another of Hoffman's techniques revolve around the ways in which browsers and sandboxes handle events and timers. The technique is designed to determine whether user events are being run in the correct order. Hoffman said sandboxes tend to run events and timers either too quickly or even out of order at times, which can be detected by the JavaScript malware.
JavaScript has come into favor with malware authors recently as they look for new and better ways to get their creations past perimeter defenses and into the hands of unsuspecting users. Some attackers have begun using JavaScript as a kind of wrapper to protect their programs, Hoffman said.
"It's the versatility they like and the vector they can deliver it through. More and more we see people exploited by drive-by downloads," he said. "Still, attackers have to use JavaScript because defenses are good at monitoring straight traffic. This allows them to wrap malware in JavaScript, get it past the defenses, unpack it through the browser and compromise the system without anything knowing it went by.
"You can do really nasty things like keylog, steal history and steal passwords. We see all the iFrame and Google hijacking attacks, Hoffman said. "People are injecting JavaScript into malware to package traditional desktop vulnerabilities. We've seen the mass SQL attacks. It's becoming the vector of choice for an attacker. The next step is how do we analyze that?"
Hoffman said that at least one of the techniques he'll be discussing at Black Hat has been used in the wild. And while he said none of the techniques are a giant technological leap forward, Hoffman said they're all perfectly capable of defeating the current state of the art in sandboxing and analysis.
"These were really just the next logical step forward," Hoffman said. "But they can get around pretty much every sandbox that exists."
RISKY : Heathrow Airport is laptop crime capital
Nearly 1,000 laptops go missing at Heathrow Airport every week, according to new research.
Charles Starmer-Smith
01 Aug 2008
http://www.telegraph.co.uk/travel/travelnews/2482615/Heathrow-Airport-is-laptop-crime-capital.html
A traveller is more likely to lose a laptop computer at Heathrow than at any other major European airport, according to new research.
In a year, about 800,000 laptops are lost or stolen at airports throughout the world. But 900 go missing at Heathrow every week, according to research for the technology company Dell.
Ponemon Institute, a privacy management company, surveyed 5,000 travellers, baggage handlers and security staff at 113 airports in Europe and the United States.
It found Heathrow to be the worst performing of Europe's airports, although - with 68 million passengers passing through its terminals each year - it is also the busiest.
About 3,800 computers go missing each week from Europe's 24 busiest airports, with more than half never retrieved.
Amsterdam Schiphol, with 750 laptops lost, Paris Charles De Gaulle (733) and Gatwick (385) were the next worst performers.
In the US, about 12,000 laptops are lost or stolen each week, with 10 per cent of these disappearing at Los Angeles.
The survey found that many travellers fail to take any steps to protect the information contained on their laptops. Nearly 60 per cent of the British admitted that they did not protect confidential information, while more than half said that they did not back up data.
According to the research, most laptops are lost at the departure gates or airport lounges, although 42 per cent of British travellers said that their computer went missing after they asked another passenger to keep an eye on it.
Mike Cobb, a security expert at the Ponemon Institute, said: "One of the quick and easy things travellers can do is put their name and contact number on the outside of their laptop.
"Also, they can back up their data - personal or sensitive data should be encrypted. It's not an arduous task."
NEW LAW : US Senate Approves Bill to Fight Cyber-Crime
By Brian Krebs
July 31, 2008
Washington Post Blog
http://blog.washingtonpost.com/securityfix/2008/07/senate_approves_bill_to_fight.html
The Senate on Wednesday passed legislation to modernize the nation's computer crime laws and give prosecutors more leeway in pursuing cyber crooks.
Under current federal cyber-crime laws prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. Under the bill approved today, that threshold would be eliminated.
Instead, the legislation would make it a felony to install spyware or keystroke-monitoring programs on 10 or more computers regardless of the amount of damage caused.
This change is important because most of today's cyber criminals break into thousands of computers at a time, but seldom inflict $5,000 worth of damages on any one individual. Moreover, while most commit their crimes by tunneling their connections through hacked computers, the crooks may never damage the PCs they are using as a proxy or try to steal personal and financial data from victims.
The real damage to cyber-crime victims -- the loss of privacy and the time and effort it takes to clean up a compromised machine and/or stolen identity -- is extremely hard to quantify monetarily. Nevertheless, one section of the measure would give identity theft victims the ability to seek restitution for the loss of time and money spent restoring credit.
The bill also would allow federal courts to prosecute attackers who go after computers located in the same state in which they live. Under current law, federal courts only have jurisdiction if the thief uses interstate communication to access the victim's PC.
Another new provision covers cyber extortion. Under existing law, the government can prosecute cyber extortionists who threaten to delete a victim's data or to crash a computer. But there is no specific statute that addresses cyber crooks who try to extort companies by, say, publishing or releasing stolen information. This bill would criminalize that activity.
This reminds me of the attack against CD Universe in 2000, when a hacker broke into the online music store's redit card database and threatened to publish the information online unless it paid $100,000. CD Universe refused, and the hacker went ahead and posted the data on the Web.
These new provisions will be added to a bill known as The Former Vice President Protection Act (H.R. 5938). The original Senate cyber-crime bill from November, 2007, was stalled in the House of Representatives, so lawmakers have tacked on these new cyber-crime-fighting measures to legislation that the House already approved. The measure now heads back to the House for reconsideration.
CONCERN : Over 89 % of Security Incidents Not Reported
RSA Conference Survey Reveals that More Than 89 % of Security Incidents Went Unreported in 2007
Tim Mather and Sandra Toms LaPedis of RSA Conference
Jul 28, 2008
http://www.rsaconference.com/security_topics/business_trends_and_impact/blog.aspx?blogId=17053
RSA Conference recently conducted a survey of security professionals regarding the critical industry and infrastructure issues they currently face.
The survey reveals that More Than 89 % of security incidents went unreported in 2007.
The RSA Conference survey identified four specific types of security threats as major pain-points for the industry in the coming year. Forty-nine percent of respondents cited data leakage of customer or employee data as their primary area of concern. Coming in a close second, concerns about e-mail-borne malware/phishing were cited by 41% of survey respondents. Web-borne malware and insider threats/theft were also worrisome to security professionals, both cited by 36 % of the respondents.
When asked about the top security and organizational challenges, 49% of survey respondents cited lost or stolen devices. Tied for second place, 47% of respondents noted both non-malicious employee errors and educating employees. Budgetary constraints trouble 44% of respondents.
54% of respondents admitted that they had dealt with a security incident - defined as an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address - in 2007. Additionally, 13% stated that they addressed more than 20 security incidents during 2007.
Of these incidents, data leakage of customer or employee data, insider threats/theft and intellectual property theft accounted for 29%, 28% and 16% respectively. However, only 11% of those surveyed publicly disclosed any of those security breaches or possible data losses.
In an attempt to uncover the impact of the “Storm” worm and resulting botnet, a backdoor Trojan horse that had detrimental affects on computer operating systems and received extensive media coverage in 2007, the survey found that a mere two percent of organizations were seriously affected by the outbreak. Conversely, 86% said that their organization was not affected by Storm at all.
The study, “What Security Issues are Plaguing You?” includes responses from more than 300 professionals predominantly charged with managing and engineering security infrastructures within their respective organizations.
Thanks for your Visit