ESET Threat Blog

If you’re going to be attending RSA in San Francisco next week, stop by our booth (#1751) and say hi!

ESET bloggers Jeff Debrosse, David Harley, and I will be there.  Jeff and I will take turns presenting “Security’s Rosetta Stone: Translating security to human behavior”.

You can also enter a drawing to win some cool Intel motherboards!

We were pleased to learn we have been nominated for the best security blog in an SC Magazine contest. Voting is closed, but we look forward to the results. There are some really, really good security blogs and we are honored to be in the competition.

Hope to see you there!!!

Randy Abrams
Director of Technical Education
 

Ahhh that was a coworker’s favorite saying each time administrators would make idiotic decisions because they weren’t in the trenches to see the effects of their decisions.

There is a result from the National Cyber Security Alliance survey that I find specifically interesting. First, let me preface this by saying the thing you learn most from surveys what questions were not asked that should have been.

The survey I refer to is about cyber education in the schools and can be found at http://staysafeonline.mediaroom.com/index.php?s=67&item=50.

One question asks “My school/school district does an adequate job of preparing students regarding
Cyberethics, safety, and security issues”. The fact that the majority of people felt this is the case is not so interesting. What is interesting is the difference of opinion between administrators, technology coordinators and teachers.

4% of administrators STRONGLY disagree with the assertion “My school/school district does an adequate job of preparing students regarding Cyberethics, safety, and security issues.”
9% of technology coordinators strongly disagree
12% of teachers strongly disagree.

The difference between 4 % and 9 or 12% is striking to me in that it would appear the administrators are out of touch with the people teaching and the people who should be in a position to better understand technology.

The question that keeps coming to mind is how many of these people in the survey are actually knowledgeable enough to authoritatively answer the survey questions. My inclination is to believe that those who strongly disagreed on the above item are probably those who truly understand the issue the best.

Randy Abrams
Director of Technical Education

The NCSA (National Cyber Security Alliance) just released the detail of a survey of educators and technologists concerning both cybersecurity and cyberethics education in the schools. Cyberethics is prevention. It attempts to decrease cybercrime by teaching that it really is still crime and not very nice.  Cybersecurity is teaching defense.

If I covered the whole report this blog would be longer than the report itself! This may require a few blogs to discuss the many different aspects of the survey, but I’ll cover a few items today. You can get the report at http://staysafeonline.mediaroom.com/index.php?s=67&item=50.

It is interesting to me that according to the report 100% of Technology coordinators, 97%) of school administrators, and 95% of teachers agree cyberethics, cybersafety, and cybersecurity curriculum should be taught in schools. This should come as no surprise as cybersafety and cyber security have become required life skills in our society. As for cyberethics that opens a whole different can of worms that at times may verge on discussions about teaching religion in schools.

The report states that 72% of teachers, 58% of technology coordinators, and 51% of school administrators are most likely to think parents are primarily responsible for teaching children to use computers safely and securely. Another way to state this is that almost half of the administrators appear to believe it is primarily the school’s job to teach these cyber subjects. There is a very sound argument for the schools being the primary teacher. Many, probably most, parents don’t have the knowledge to teach cybersafety and cybersecurity. Most parents probably can teach cyberethics, but it doesn’t help if their kids see them downloading pirated materials!

So, now that we know that there is overwhelming support for teaching these subjects in school, the true challenge is preparing the teachers to effectively teach the subjects. The survey does address this issue to some extent. The report states “Over three quarters of teachers have spent less than six hours on any type of professional development education related to cyberethics, cybersafety, and cybersecurity within the last 12 months. Comparatively, between 2008 and 2010, more teachers have received training in the 6-15 hours range. However, the “less than six hours” of training group remains the largest.”

I believe it will be several years before we actually have enough teachers with enough training and knowledge to effectively teach cybersecurity and cybersafety, but society needs to start providing such training sooner rather than later. It is very encouraging that the recent cybersecurity bill that was passed in the US House of Representatives does pay attention to the role of education. Now we need to translate that to reaching people with effective education… and the same needs to be done throughout the world. It really isn’t just a US problem and education is a great area for international collaboration.

It’s going to take some time to fully digest the report, but I’ll be back with some more observations and thoughts!

Randy Abrams
Director of Technical Education

A report was recently released which examined the accuracy of the information within the WHOIS system. WHOIS services are intended to provide free public access to information about the registrants of Internet domain names. This report was commissioned by ICANN, the body that oversees the allocation & registration of Internet domain names.

Probably the most concerning finding from the report is the fact that only 23% of the records in WHOIS were fully accurate. A further 24% had some information missing, but the researchers were able to locate the person registered as the owner of the domain & confirm this. That left 53% of records where the owner could not be located to confirm ownership of a domain name. This failure was due to incorrect, inaccurate, false or simply missing data on the WHOIS records.

What does this mean to you & me? It means if a bad guy wants to set up a dodgy website he can do so, and without too much difficulty cover his tracks by providing a name like "Donald Duck" and an address like "Disneyland" for the contact details, so that it's not easy to trace things back to him.

So how did we end up with a system so riddled with bad data? It seems many of the Internet domain name registrars have been very lax when issuing new Internet domain names. There are no mandated standards for registrars to check whether the information provided is accurate, and many registrars have not bothered to check & enforce the completeness & accuracy of the information provided by people applying for domain names.

The obvious solution here is to force the domain name registrars to thoroughly verify an applicant's details before they are given a domain name. But the problem is that these checks would require additional resources & time before issuing a domain name, which would cost more money. This means that they would have to increase their charges to the applicants.

So it comes down to the usual conflict. Do we want security and responsible actions on the Internet by making domain name owners traceable & verifiable, or do we want cheap costs when it comes to registering a domain name?

In many countries, in order to possess a gun you must first apply for a gun license, verify your identity and explain what you intend to use the gun for. I think it should be the same with domain name registration. Yes, I know – guns don't kill people, people kill people. But if guns can be used to perpetrate crimes, then the use of guns should have some level of control. When it comes to websites and the level of criminal activity that may be perpetrated through the use of a website, I think we should at least have some sort of verification of the identity of the person behind that site.

The ease with which a bad guy can currently set up malicious websites anonymously is yet another example why the Internet is currently such a Gangster's Paradise. It's not going to be easy, but things need to change.

Craig Johnston
Senior Cybercrime Research Analyst

So how bad was the roll out of Google Buzz? Let’s start with a little bit of history first.

Either before or after you read this blog, I would appreciate your impressions of how Google rolled out buzz. I have a survey up at http://www.surveymonkey.com/s/JSS79XJ

Several years ago, Microsoft initiated their SDL, Security Design Lifecycle to improve the security of their products. Google is way overdue for starting a Privacy Design Lifecycle.  Google’s respect for privacy makes Microsoft’ worst security problems seem inconsequential.

According to satirical joke known as the “Google’s Approach to Privacy” http://mail.google.com/mail/help/privacy.html

“We provide advertisers only aggregated non-personal information such as the number of times one of their ads was clicked. We do not sell, rent or otherwise share your personal information with any third parties except in the limited circumstances described in the Google Privacy Policy, such as when we believe we are required to do so by law.”
The “Privacy Policy” they refer to says

We have 5 privacy principles that describe how we approach privacy and user information across all of our products:
1.    Use information to provide our users with valuable products and services.
2.    Develop products that reflect strong privacy standards and practices.
3.    Make the collection of personal information transparent.
4.    Give users meaningful choices to protect their privacy.
5.    Be a responsible steward of the information we hold.

When Google Launched Buzz they completely ignored items 4 and 5.
The policy http://www.google.com/privacypolicy.html goes on to promise:
Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:
    * We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
    * We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
    * We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

Very, very, very importantly, Google claims:

If we propose to use personal information for any purposes other than those described in this Privacy Policy and/or in the specific service privacy notices, we will offer you an effective way to opt out of the use of personal information for those other purposes. We will not collect or use sensitive information for purposes other than those described in this Privacy Policy and/or in the supplementary service privacy notices, unless we have obtained your prior consent.

So, what did Google do? Google added a service called Buzz that effectively changed your email account to a social networking account and initially refused to give you any opt out at all prior to sharing sensitive information. Google automatically displayed many of your contacts, which is another breach of their privacy policy. The really sad thing is that many Google users do not value privacy and figure it was inconsequential. I will show you exactly why it was not inconsequential, but you have to do some research to understand this.

First, you need to do a few Google searches. Copy and paste the following into a Google search box.

Psychologist site:google.com/profiles
Psychiatrist site:google.com/profiles
Doctor  site:google.com/profiles
Gynecologist site:google.com/profiles
Podiatrist site:google.com/profiles
Neurologist site:google.com/profiles
Doctor site:google.com/profiles
General Practitioner site:google.com/profiles
Therapist site:google.com/profiles
Sexual therapist site:google.com/profiles
Lawyer site:google.com/profiles
Solicitor site:google.com/profiles
Priest site:google.com/profiles
Minister site:google.com/profiles
Rabbi site:google.com/profiles

There are many other potential searches, but what this is showing are the public profiles of people who have legal or ethical obligations to keep confidential the identities of the people they communicate with. What Google did was deliberately violate their own privacy guidelines and policies so as to breach the confidentiality of users and they did so because the immediate build of a social network was deemed more important that adhering to their policy or respecting a single person in the world. In other words they have no compliance and no concern.

People at Google absolutely know that even disclosing that a victim of domestic violence is seeking help may put that victim in harm’s way. I know some Google people know this because I have been at the same meetings their security people have been at when  representatives of NNEDV. The National Network to End Domestic Violence, told of how even exposing that an abuse victim is looking for help can end in violence or death. Google places an instant social network high above the safety of people.

When Google rolled out Buzz, they made the private contacts of many people public knowledge. To this day Google has admitted no wrong doing and has only apologized for causing discomfort and not for violating their agreements.

The odds are that if you have a Gmail account and perform the searches I suggested, and then look at who is following who or being followed by who, and their public profiles, you can put two and two together to find out who is being seen/treated by who, and in some cases for what general therapies.

You can look up a psychologist and see what they specialize in. Perhaps depression,  the treatment of children, marriage counseling, etc.  You can look up who they follow and who follows them and often find out the location of the people if they list it in their public profile. It sometimes isn’t hard to put two and two together, especially if you know one or both parties.

Health care professionals are held to a very high legal level of information disclosure. By law, they simply are not allowed to divulge very much information. This is in addition to their own ethical beliefs. What Google did may have caused some health care providers to fall outside of the law. I am not a HIPPA expert or a lawyer, but I am guessing that a health care professional revealing to the world the name of a patient and associating that patient with them is either not legal or not what they consider ethical. Google caused that to happen without warning. It goes beyond health care though. When a person consults with their clergy, they expect, at least in some cases, that the religious leader will not even disclose that they had a conversation. Google exposed this information because building a social network really fast was more important to Google than informed consent and adherence to their privacy policy.

If a user emailed a company about any number of private issues, this may have been revealed to the world. It was not the content of the email, but Google forced the user to divulge the nature of the contact.

It has been interesting following the responses on Buzz. A large number of users seem to think that the value of privacy and a contact is roughly zero.

Do expect Google to start making your Gmail emails public. Unless the class action lawsuit against Google is certified and truly hurts Google, there is no deterrent to Google brazenly ignoring it.

I am expecting Google to Launch Google Gossip, where they take snippets of your email and post it to the world. Sound farfetched? Read the privacy policy. Google already maintains the right to scan your messages.

Randy Abrams
Director of Technical Education
ESET LLC

Two new white papers have been posted on the white papers page at http://www.eset.com/download/whitepapers.php.

(1) "Ten Ways to Dodge CyberBullets" by David Harley

Around New Year it seems that everyone wants a top 10: the top 10 most stupid remarks made by celebrities, the 10 worst-dressed French poodles, the 10 most embarrassing political speeches and so on. We revisited some of the ideas that our Research team at ESET, LLC came up with at the end of 2008 for a "top 10 things that people can do to protect themselves against malicious activity."

While much of the content in this paper comes from a series of blogs from the beginning of 2009 and based on that material, it’s been updated here with more recent material from other members of ESET’s research teams across the globe and appeared here as a series of blogs which has just been completed.
 
(2) "Conficker by the numbers" by Sebastián Bortnik

This is a translation for ESET LLC of a document previously available in Spanish by ESET Latin America (see http://eset-la.com/centro-amenazas/2241-conficker-numeros).
David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

[Part 10 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series is also available shortly at http://www.eset.com/download/whitepapers.php as a white paper.]

Don’t be a Crackhead

Don’t use cracked/pirated software. Such programs provide an easy avenue for introducing malware into (or exploiting weaknesses in) a system. The illegal P2P (peer-to-peer) distribution of copyrighted audio and video files is dangerous: some of these are counterfeited or modified so that they can be used directly in the malware distribution process.

Even if a utility seems to come from a trusted and trustworthy source rather than Mrs. Miggins’ Warez Emporium, it pays to verify as best you can that it’s genuine.

Win32/GetCodec.A, which is as common now as it was a year ago, is a type of malware that modifies media files. This Trojan converts all audio files found on a computer to the WMA format and adds a field to the header that includes a URL pointing the user to malicious content, claiming that the fake “codec” has to be downloaded so that the media file can be read. 
WMA/TrojanDownloader.GetCodec.Gen is a downloader which facilitates infection by GetCodec variants like Win32/GetCodec.A.

Passing off a malicious file as a new video codec is a long-standing social engineering technique exploited by many malware authors and distributors. The victim is tricked into running malicious code he believes will do something useful or interesting. While there’s no simple, universal test to indicate whether what appears to be a new codec is a genuine enhancement or a Trojan horse of some sort, we would encourage you to be cautious and skeptical: about any unsolicited invitation to download a new utility. Even if the utility seems to come from a trusted site (see http://www.eset.com/threat-center/blog/?p=828, for example), it pays to verify as best you can that it’s genuine.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

[Part 9 of an occasional series, updating a blog series I ran in early 2009 to reflect changes in the threat landscape. This series is now available as a white paper at http://www.eset.com/download/whitepapers.php.]

Be Wireless, not Careless

Don’t connect to just any “free Wi-Fi” access point: it might alter your DNS queries or be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions. (When I have occasion to see what networks are being offered me in hotels, airports, even in the apartment block where I live, I have to wonder how many of them are legitimate…)

Our colleagues in Bratislava put up a nice article in 2009 on "Summer Surfing on Free Wi-Fi: Work or Play, but stay secured": see http://www.eset.eu/press/summer-surfing-on-free-wifi. Of course, many of the points made there are just as valid at any time of year. Here’s a summary of some of them:

Be aware of some common security issues with hot spots

• “Evil twin” login interception: this is a scenario where a network is set up by hackers to resemble legitimate Wi-Fi hot spots, in order to intercept your login credentials for legitimate networks and sites
• Previously unknown (zero-day) attacks exploiting operating system or application vulnerabilities
• Sniffing , or using computer software and/or hardware to intercept and monitor traffic passing over a network
• Other forms of data leakage using man-in-the-middle attacks

Be aware also of ways of reducing your attack surface and protect your computer:

• Ensure VPN pass through ports are enabled, but don’t allow a high port free-for-all: professional system administrators open only necessary ports. This doesn’t stop all attacks, but does reduce them.
• Use HTTPS to access webmail
• Avoid protocols that don’t include encryption wherever possible
• Disable sharing of files, folders, services
• Avoid connecting to sites that transfer sensitive info, your banking information, for instance, when connected to an untrusted access point
• Ensure you’re using sound firewalling, antimalware, HIPS and so on.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

Some of you may be aware that some users have recently encountered problems with one of Microsoft's security updates. Some user's systems would crash with a "Blue Screen Of Death" (BSOD) after installing Microsoft's latest batch of security updates.

The problem has been narrowed down to the MS10-015 update. It seems that systems that have been infected with a rootkit known as TDSS, Tidserv and TDL3 (amongst others) would crash once the MS10-015 security update was installed.

The interesting point here is that, as a result of this problem, the rootkit authors have created & distributed their own patch update for the rootkit software to remove the conflict and stop the BSOD crashes. That was nice of them, wasn't it?

Back in the early days, many viruses & worms used to have harmful or destructive payloads. When an infected system's virus payload was triggered, the virus would delete or scramble data files, or damage system files. The payload was all about causing headlines & havoc. The virus authors could then brag to their mates about how they were the one to cause all that havoc.

These days, malware is all about stealing information that can be turned into stealing money. The bad guys want to get their malware running quietly in the background without you noticing it, so that they can do whatever they want with your system. If many of the systems that they have their malware running on suddenly crash with a serious fatal crash, and it becomes known that the presence of their malware is the culprit, the gig is up. They've been busted. So it's not really surprising that they have updated their own malware to avoid the conflict and stop the blue screens of death.

We now not only have software vendors issuing patches to avoid system crashes, but we also have the bad guys doing exactly the same thing.

So for the bad guys it used to be all about creating havoc and gaining notoriety. It's now all about systems running perfectly and the anonymity of the malware authors being maintained. It's all about business continuity…..

Craig Johnston
Senior Cybercrime Research Analyst

I came across an interesting side effect of Google forcing Gmail to be a social networking site.

A young lady in middle school replied to a Buzz about what you think about Buzz. Her response?

“I am just getting the hang of Buzz right now too. I don't really go on blogging websites since my mom won't let me, but I think that it's kinda cool”

So, Google just took control out of the hands of parents in one fell swoop. The young lady was allowed to have email, but her parents had no idea she would be signed up for a micro-blogging service with absolutely no notice at all.

Great family support Google… Way to go… Google, contact me off line if you care to notify the parents of the minor about how you circumvented their control of their daughter’s computer use.

Randy Abrams
Director of Technical Education