ESET Threat Blog

This blog is a bit of an oddity. ESET UK were approached by Dan Damon, a reporter putting together a piece about “the complications of a digital world when someone passes away”, asking if there was someone at ESET who would be interested in being interviewed for BBC¹ radio on the subject. The request got passed back to me. While I wasn’t able to get to the studio at that point, as I was on the point of leaving for a conference in Japan, I thought that the topic was interesting, and put together a sort of interview mock-up for discussion. Dan seemed to like it, but we kept failing to synchronise.

Finally, he was ready to get me into the studio, but it was at very short notice and I simply couldn’t get there at the time it was needed, so the project is abandoned. However, it seemed a shame to waste the “interview”. Though since I take the part of the interviewer as well as my own part, I suppose it’s really more like an Alan Bennett²-ish monologue.

By the way, I’m not aware that there is any such thing as an Internet Book of the Dead. Consider it a tribute of sorts to “The North London Book of the Dead³”, a story by Will Self⁴ of which I happen to be rather fond. I presume that Self’s title is in itself a sort of parody of one of the religious texts associated with Egypt and Tibet (and, no doubt, other cultures) referred to as “The Book of the Dead.”^{5, 6}

What has been the impact of the Internet on the availability of data?

Perhaps we should ask first, how old is the Internet, in comparison to the data it contains? The timelines and statistics for the protocols, and applications, and the take-up of pre-web, web 1.0 and web 2.0 sites and services are misleading, however good your resources. A carefully crafted Google search brings up information on relatives of mine who died when international networks were little more than hardwire connections between (physically) huge mainframes and the web wasn’t even a gleam in Tim Berners-Lee’s eye.

I was a comparative latecomer to computing, but even I predate many of the milestones that most Internet users regard as prehistoric. Even 25 or so years ago, when I first got dragged into what we then called the “new technology”, if you wanted to know what was known about you and your family, you had to go places, make phone-calls and write letters (and cheques). 

What sort of data are you referring to?

You needed access to church registers, births and marriages data, census information, electoral rolls and so on, and that only gave you access to barebones genealogical data: juicier information needed a far wider sweep and privileged access to resources and shadowy clusters of microfiche readers.

But all that’s changed now, surely?

It has indeed, and I don’t mean the upsurge of for-fee online genealogical databases. Those deceased relatives of mine might also show up in on-line national and local governmental resources, back-issues of local newspapers, local and historical blogs and other web sites. They probably never thought about this particular prospect of immortality, and if they did, took it for granted that their data were what we might now call “sterile” data (information to which the holders were entitled), and didn’t think about the more sinister implications of its continuing to exist.

In fact, those sinister implications were always there. Think back, for instance, to the use of the identities of dead people for forged passports in thrillers like Day of the Jackal.

But it’s changed much, much more for the living and breathing Internet generation?

Sure. Everyone who uses the Internet leaves footprints, and the dirtier the footprints, the easier they are to find. Everything you share online can come back to haunt you, and that doesn’t necessarily change when you start to do some haunting yourself.
You might never touch a computer keyboard yourself (I hear there are still people like that) but there are still lots of data around that are unique to you and sometimes freely available on the Internet: directories, commercial transactions, governmental data, credit ratings, and lots of stuff you may never have thought about.

Organizations that keep that sort of information are often subject to strict legal conditions: here in UK the Data Protection Act⁷ (possibly the most misunderstood legislation ever…) requires the people who hold your data to do so only when necessary and appropriate, to process it fairly, to maintain it properly and look after it carefully. (Other European countries are subject to similar restrictions, based on the same EC Directive⁸.) I can almost see your cynicism, but that is at least the intention.

Specialized and sensitive data, such as banking data and medical data, are subject to other laws as well. So, in general, some of the most important data should reflect a post-mortem change in respiratory viability. And while we still hear horror stories, those major systems tend to work efficiently – if not compassionately –  most of the time. For example, when my father died, the government asked for his last month’s pension payment back before we’d even had time to arrange the funeral, acting on information from the bank, which had already closed his account.

And no, that isn't another emotional sideswipe at the present UK government. This was decades before Gordon Brown.

What about all the stories about lost CDs and USB sticks?

I didn’t say the system always worked! In fact, having spent a lot of my working life in the NHS (National Health Service), I know very well it doesn’t, much of the time.

Can you tell us more about that?

Not if I ever want to feel safe walking down a hospital corridor.

Are you saying that there isn’t too much of a problem?

Not at all. The more data there are, the harder it is to keep track. Even thinking of something as apparently transient as an email, there are inevitably ways in which a message can be intercepted, or misdirected, or survive past its natural lifespan. And that’s assuming that it travels between two trusted and trustworthy individuals. I’ve seen a million examples of mail inappropriately shared because one of the parties involved didn’t regard it as confidential, or simply didn’t think about the consequences of sharing it.

To lapse into the first person again, I’ve done a lot of online writing: for example, internet FAQs, posts to specialist forums and newsgroups, mailing lists, blogs and so on. The extent to which they replicate, with or without the writer's knowledge, is astounding. There’s even an instance of an e-book I didn’t know I’d written until years afterwards.

How do you write a book without knowing about it?

Well, it's nothing to do with having a ghost writer.

I wrote a magazine article for a security organization. They subsequently reprinted it as an eBook. I found out years afterwards when I was googling for publisher info on books I did know I’d written.

There are other disadvantages to being online for an author. I actually got hold of an illicit electronic copy of a more recent book before my author’s copies had arrived. And an illicit copy of another book has been available for years on a virus exchange site. Let’s not talk about the fact that Google appears to think it owns the entire corpus of online literature, irrespective of copyright.

As Woody Guthrie once wrote¹⁰, “I ain’t dead yet.” But these are examples that aren’t likely to change when I am, unless there’s a nuclear or ecological catastrophe.

Is this a good moment to raise the issue of social networking?

In the security industry, we talk a lot about the dangers of social networking, sharing information that may be valuable to burglars and scammers, or even spies if you happen to be married to the head of MI some-number-or-other.  But it isn’t just about what you do, or information that you give away. Other people can give away information that impacts on you, like that photo of you next to Niagara Falls that your mate posts to his Facebook page, giving clear notice that you aren’t at home right now.

It’s not just about information, either. There is probably more misinformation than information in the online world, whether it’s deliberate deception, propaganda, fraud, well-meant lack of comprehension, or just data that’s no longer current.

Unfortunately, if you’re the victim of that sort of flim-flam, it’s not likely to go away when you do.

Dedicated to the memory of my good friend Graham Bell, for reasons that have very little to do with the Internet.

References:
1. http://www.bbc.co.uk/info/
2. http://en.wikipedia.org/wiki/Alan_Bennett
3. “The North London Book of the Dead”, from The Quantity Theory of Insanity, by Will Self. Bloomsbury Publishing, London, 1991.
4. http://en.wikipedia.org/wiki/Will_Self
5. http://en.wikipedia.org/wiki/Bardo_Thodol
6. http://en.wikipedia.org/wiki/Book_of_the_Dead
7. http://en.wikipedia.org/wiki/The_Day_of_the_Jackal
8. http://www.opsi.gov.uk/Acts/Acts1998/ukpga_19980029_en_1
9. Directive 95/46/EC: http://en.wikipedia.org/wiki/Data_Protection_Directive

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

So, back in harness. I’ve been away for a couple of weeks: not on holiday as such, though I did take some days out, but concentrating on writing: it didn’t hurt that I didn’t have a full-strength internet connection to distract me, though.

Before I left, I was interviewed by a Turkish security site. It was an interesting experience in that when I get interviewed by the press it’s usually about something fairly specific, whereas this was more of an "opinion piece". Anyway, I assumed that most of you probably wouldn’t want to go and read it in Turkish, but some of you might find it interesting in English. Well, maybe not.

There were only half a dozen questions, but my answers were uncharacteristically verbose, so I’ll split them across a couple of blogs.

Question (1): Are we afraid of surfing on the Internet?
 
I don’t know, but we probably should be. I wouldn’t really want to see everyone so terrified of the hackers and bogeymen that they won’t make use of all the possibilities for business and social networking that the Internet offers, but we should at least have a healthy respect for the risks that Internet browsing entails.
 
I wouldn’t want to turn everyone with an internet connection into a security geek, either, but we (all of us who pride ourselves on being proficient computer users, not just the security industry) haven’t done a good job of conveying to the wider community a sense of what they should and shouldn’t do in order to stay (reasonably) safe. In fact, that’s an important point: if you know that there’s no such thing as safe browsing, you have a choice. 

• You can throw your hands up in the air and say "I’m never going to use the web because it’s too dangerous"
• Or you can stop thinking about risk elimination and start thinking about risk management. Not in terms of a big corporate exercise in PRINCE project management, conforming with ISO standards, and lengthy risk analysis procedures, but just common sense.
  • "Is it sensible to do my online banking at a hotspot in a city park?"
  • "Should I let someone else use my PC when I’m logged on as an administrator?"
  • "Why is my bank sending me email about a problem with my account addressed to ‘Dear valued customer’ instead of using my name?"

Question (2):  What are your opinions about IT Security?

As Gandhi is supposed to have said about Western civilization, I think it would be a good idea.

Well, of course, we have all the security we can handle, but it’s compromised by a fog of misinformation and mythology, half-understood concepts promoted by the media, politicians and so on: it’s no wonder so many people just look at all the conflicting advice and say "I can’t be bothered with all this. I’m just going to click on this icon…"
 
There’s a famous tripartite data security model: Confidentiality, Integrity, Availability. Of course, all three are vital, certainly to a business or to an individual who uses online services to run his finances. But if you lose Availability, your system has failed, irrespective of whether it’s the Wily Hacker, your ISP, or your director of IT who’s stopped you accessing your own data.
 
Question (3): What advice can you offer about gaining experience in Personal Security?

"How do I get to Carnegie Hall?" "Practice…"
 
At any rate, practice is one way of getting experience in personal security. For many people in my generation and earlier (I had my first email accounts before there was such a thing as the world wide web), it was almost the only option: you learned by experience, and if you were very lucky, you learned quickly enough not to jeopardize your own online health or that of your family, friends and workmates. Of course, there were (mostly academic) training opportunities around. As the web started to come together and the Internet ceased to be an academics’ playground as people noticed and seized commercial opportunities, we began to see a lot more commercial training, of highly variable quality.
 
Actually, as a specialist in anti-malware, my perspective is probably particularly jaundiced. There’s never been much training from within the anti-malware industry (and what there is is nearly all vendor-centric). Unfortunately, there’s not much security training from outside the industry from people who are really knowledgeable about malware management. Some SANS training looks up to the mark though, even though the SANS publicity machine can be pretty AV.
 
So at what level of experience are you thinking of here in terms of your audience?

1. Experienced enough to surf reasonably safely in their spare time?
2. Enough to carry out their daily IT-oriented work safely?
3. Enough to be a security professional?

For categories one and two, there are sites that carry reasonably good information for the non-technical reader. The Anti-Phishing Working Group has good resources at http://education.apwg.org/  with information on phishing, moneylaundering and so on.

ESET is heavily involved with a community project called Securing Our eCity that provides some impartial resources, and we have some white papers, conference papers and so on on our own web site at http://www.eset.com/download/whitepapers.php, most of which are also non-partisan. Many other vendors have similar resources and most of them now cast their nets far wider than antivirus. SANS (www.sans.org) has an enormous range of resources as well as a range of security-related courses, certifications and so on that is a good starting point for some more professional career paths.
 
However, the term security professional covers an awful lot of ground. It took me about 12 pages of the AVIEN Guide to cover just the main training opportunities for someone with an anti-malware/IDS systems leaning, so I’m not going to be able to do the topic justice in an email.
 
Actually, I can’t do justice to any of these areas here. I have done massive lists of useful URLs in the past, but the last one I made public was in 2007: I probably need to update and republish it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Having worked quite a lot in recent years in the public sector in the UK, I’m not at all surprised that RIM (Research in Motion) is bullish about being assessed by CESG as suitable for use with restricted government data. However, it’s not altogether clear from the documentation published by RIM what this actually means.

Blackberry Enterprise Solution is considered to be "suitable for handling HMG [Her Majesty's Government] information protectively marked RESTRICTED (Impact Level 3). CESG (Communications-Electronics Security Group, though the expanded name is no longer used) is the Information Assurance arm of GCHQ (Government Communications Headquarters) Signals Intelligence lynchpin of national security. This standard of assurance is far from easy to achieve. However, RIM’s copious documentation, though accurate as far as it goes, doesn’t tell the whole story: the CESG page at http://www.cesg.gov.uk/find_a/cert_products/index.cfm?menuSelected=1&displayPage=152&id=436 gives a little more detail.

That information classification sounds pretty impressive, and so it is: however, it’s actually partway through an impact level matrix that ranges from zero impact in all respects (level 0) to various serious eventualities such as widespread loss of life, internal political stability, or "exceptionally grave damage to the operational effectiveness or security of UK or allied forces." Here are the issues that qualify as Impact Level 3:

• Risk to an individual’s personal safety or liberty
• Minor loss of confidence in Government
• Make it more difficult to maintain the operational effectiveness of security of UK or allied forces (e.g. compromise of UK forces doctrine or training materials).
• Cause embarrassment to Diplomatic relations
• Disadvantage a major UK Company
• Damage unique intelligence operations in support of intelligence requirements at
  JIC Priority Three or less.

Potentially serious issues, but they should  be seen in the context of the mapping of Impact Levels to standard protective markings, which classify the level of confidentiality that applies to protected data:

• Impact Level 6 – TOP SECRET
• Impact Level 5 SECRET
• Impact Level 4 CONFIDENTIAL
• Impact Level 3 RESTRICTED
• Impact Levels 1&2 PROTECT

In other words, this level of protection applies to data to which access is restricted, but it’s a long way down from top secret.

Clearly, this doesn’t mean that anyone in the UK public sector can use any Blackberry for any purpose. The CESG page makes it clear that "This advice is specific to Blackberry(R) Enterprise Solution and should not be construed as being more widely applicable." Furthermore, system administrators are expected to conform with CESG security procedures, and that is likely to involve disabling "features that affect the overall security of the solution".

The assessment only holds if "administrators and users adhere to the CESG security procedures". It’s also specifically stated that use of Blackberry GSM phone functionality should restricted to NOT PROTECTIVELY MARKED use.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Just last Saturday, June 6th; there was a new posting on the Full Disclosure mailing list from a source that calls themselves pwnmobile (at least that’s part of their email address). In the post, pwnmobile claims they have harvested information from T-Mobile USA’s servers. The data they claim to have acquired is:

• various databases
• confidential documents
• scripts
• applications

Interestingly enough, the poster of the message stated that they supposedly approached T-Mobile’s competitors, but there was no interest and now the data will be sold to the highest bidder. T-mobile USA, the subsidiary of Deutsche Telekom AG, is currently investigating this claim, and if found to be true, will contact their customers according to breach notification laws. T-Mobile USA’s 32.8 million contract customers make up 81% of their total customer base – you can also add to that the addition of 36,000 employees. If there truly was a breach of this magnitude, and based on the findings regarding the source of the breach, it could be costly for the carrier.

So far, the only evidence pwnmobile has shown as evidence of breaching T-Mobile USA’s systems are system logs that could have been copied by one or more employees or contractors working for the carrier. This would not indicate a data breach by any means and could simply be a ploy to “take the money and run.” 

The pwnmobile safe-mail email address is a good place to start in discovering the identity of the person or group that made the post. According to safe-mail, “We can access data and/or delete an account *only* according to the Terms and Conditions in the Agreement.” Those terms clearly state:

“You may use Safe-mail in ANY legal way for your personal, business or other needs.”

The terms also state:

“You may not use Safe-mail in a way that is threatening, harmful, or invasive of the rights of other; for spamming, chain letters, pyramid schemes, junk mail, unsolicited advertising or bulk e-mail; or otherwise in a way that is damaging, offensive, or that creates a nuisance. Disguising the origin of transmitted content is prohibited. You agree to abide by all laws and regulations applicable to this agreement and use of the e-mail system. This agreement is made under and shall be construed according to the laws of the State of Israel and Israel’s courts will have exclusive jurisdiction over any dispute related to the system or this agreement.”

With increased international collaboration regarding cybercrimes, regardless if they are committed across borders or within their own borders, the pressure is on for the criminals. The old adage, “You can run, but you can’t hide” is slowly, but surely, starting to make more headway. 

Jeff Debrosse
Research Director

Many people in the US associate HIPAA with the rules required to protect medical data. It actually is a lot more than that, but the HIPAA laws do require some minimal standards for medical providers.

I recently came across an example of where HIPAA is ineffective. The medical providers are required to protect your data, but they are not required to allow you to protect your data!

I have vision insurance through a company called VSP (www.vsp.com). To set up an account I needed to create a user name and password. So, I created a great password and was promptly told I could not use is because it contained “special characters”. That isn’t a smart approach to security, but I know I can overcome these restrictions by using a long password. I decided to use the password “VSP Security really sucks”. The password was rejected, not because their security does not suck, but because I can’t have spaces in the password. “vspsecurityisstupid” was a perfectly acceptable password, but I had to change it because I just posted it on a blog ?

Sometimes you really have to take security into your own hands. If you can’t use special characters then is becomes very important to use a very long password.

Next time I’ll write about a popular social networking site with stupid password requirements.

There is a reason that some sites don’t allow special characters. It requires more security work. The special characters can be security vulnerability for people who do not know how to use databases securely. More on that another time.

Randy Abrams

Director of Technical Education

If sensitive information is stored on your hard drive (and if you don’t have -something- worth protecting on your system, you’re probably not reading this blog…), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks such as an escrow site going out of business and so on.

Consider (seriousl!) regularly backing up your data to a separate disk (as a bare minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original: if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer they’ll "all go together". In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what one site I know of did, and back up data to a server, but forget to back up the server itself.

I’m sure I don’t need to remind you to take care of your passwords as well, do I?

David Harley BA CISSP FBCS CITP

Don’t disclose sensitive information on public websites like FaceBook or LinkedIn. Even information that in itself is innocuous can be combined with other harmless information and used in social engineering attacks.

Rather than expand on that point, for now, I’m going to point to another "10 ways to protect yourself" resource: the more good advice on security the better, whatever its source.

SANS Institute Security Newsletter for Computer Users Volume 6, Number 1 January 2009, also known as "SANS Ouch!" includes "Ten Do-It-Yourself Computer Security Tips". I don’t always agree with everything that comes out of SANS, but there’s some sound advice there. (But then I would say that: they make some of the same points that we do.)

David Harley BA CISSP FBCS CITP

Don’t trust unsolicited files or embedded links, even from friends.

It’s easy to spoof email addresses, for instance, so that email appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Basic SMTP (Simple Mail Transfer Protocol) doesn’t validate the sender’s address in the "From" field, though well-secured mail services do often include such functionality.

I remember years ago one of my colleagues at a medical research charity in the UK sent email as a joke using someone else’s address, a trick that’s easily performed using telnet and an unsecured mailserver. On that occasion, I was able to identify the real sender immediately by his IP address (much to his surprise), but the nature of the 21st century Internet means that there are many ways of concealing such information, if you really want to stay hidden. 

It’s also possible for mail to be sent from your account, without your knowledge, by malware, though malware that does this is far rarer than it used to be. It’s far more effective for a spammer to hire the services of a botherder, nowadays.

There are also many ways to disguise a harmful link so that it looks like something quite different, whether it’s in email, chat or whatever. The disguising of malicious links in phishing emails so that they appear to go to a legitimate site has obliged developers to re-engineer browsers to make it easier to spot such spoofing, but too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it’s not always easy to tell a genuine or fake site just from the URL, even if the URL is rendered correctly. (Early phishing emails tended to rely on exploiting bugs in popular browsers to hide the real target link.)  DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under his control.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence  

We’re closing in on the end of 2008 and about to start 7D9, or 2009 for those who do not speak hex. I thought it might be a good time to remind you to change your passwords. There are some important things to remember about passwords. Despite the IT policies that are prevalent throughout the world, really great passwords can be made that do not use upper and lower case letters with numbers and special characters. The really important thing is length. Actually, “The really important thing is length” is a much better password than $kW3P*v9.

There are several reasons why the sentence above is a better password. To begin with, you can remember it so you don’t have to write it down and keep it handy. Even more importantly, it will take a computer far longer to crack the sentence (unless it knows to look for a sentence) than the 8 character password with all of the funny characters, etc.

Adding numbers and special characters does help, but not as much as length does. There is a time when the special characters do become important. That is when you are limited to a short password. For example, the web site “Friendster.com” has a ridiculous policy of only allowing a 10 character password. In a case like this, you want upper case letters, lower case letters, numbers, and special characters. Actually, you want Friendster to get a clue, but you have to take your security into your own hands sometimes.

Reusing passwords can be really bad news. You don’t want to use the same password for your computer log on as for your bank. Important information should be protected with unique and strong passwords.

Changing your password regularly is important as well. How frequently you change your password will depend upon how important the information you are protecting is. Generally, once every three months is a really good idea. That way if your password is cracked, by the time a computer has cracked a good strong password you will have already changed it!

One of the problems with multiple passwords is remembering them all. Tools like Cygnus Password Corral (http://cygnusproductions.com/freeware/pc.asp) can be really helpful. Just remember that you need to keep it on a very safe computer and back up that password file!!!

One of my favorite tricks for creating passwords that I can easily remember and are nice and secure is to make a math equation. Something like “1hundred+5=Threehundred” is long enough to be secure, has a nice mix of characters, and the wrong answer is silly enough to be memorable!

So, make your New Year a little more secure and change those passwords!

It’s that time of year when everyone wants a top ten: the top ten most stupid remarks made by celebrities, the ten worst-dressed French poodles, the ten most embarrassing political speeches, and so on. Our research team came up with a few rather more serious ideas, most of which are considered at some length in our about-to-be-published Annual Global Threat report and November Threatsense report, but we thought it might be nice to post some of the information in one or two of those top ten lists here for those who may find the length of the full reports a little daunting, as well as a taster for those who don’t. Rather than simply reproduce those lists, we’ll consider individual items at more length over the next few days.

Perhaps one of the more useful ideas that was tossed around was a top ten of things that people can do to protect themselves against malicious activity. This is the item that we pretty much all agreed should be top of the list. 

Disable Autorun in Windows: this facility is consistently exploited by the class of malware ESET detects as INF/Autorun, among other threats. We’ve been considering this issue in detail for quite a while, now: for instance, in Randy Abrams’ blog here. That class of malware has been consistently at or near the top of our monthly worldwide top ten reported threats as long as I’ve been tracking them. Don’t assume, though, that that single precaution will save you from every example of that type of threat. Most malware uses more than one technique to infect targeted systems.

More later.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence