ESET Threat Blog

I recently learned a new acronym: SODDI (Some Other Dude Did It). What this refers to is the defense that criminals routinely use (plausible deniability) – and even more so when it comes to illicit activities on the Internet.

On Sunday, November 8th 2009 the Associated Press published an article regarding an individual that was accused of possessing child pornography. After 11 months, and at a personal expense of $250,000, computer forensics proved that the computer had become infected with malware that was designed to download illegal content. Malicious software was the culprit at work behind the scenes.

This activity is a topic that had been discussed for quite a few years as a potential liability for any computer that has been infected. Software that is designed to conduct remote operations can surreptitiously download any kind of digital material to a person’s machine or establish connections (or probe/attack) any target. This would cause the owner of the infected computer to appear to have broken one, or more, of many laws including illegally accessing a network, theft of intellectual property (IP) and child pornography – to name a few. Basically, any action that an attacker or criminal can directly perform on the Internet, can also be duplicated and executed from a victim’s computer. The end result is truly horrific for the victims who have to defend themselves when the trail leads to them – and seemingly stops at their computers.

There are numerous examples of this occurring. For instance, substitute school teacher Julie Amero’s life was undeniably, and tragically, altered after the school computer she was using in a 7th grade classroom started displaying pornographic images to her students. After significant expense, loss of a teaching career and other losses she was finally convicted of a lesser charge (in 2008) and a reduced fine.

Cases like these are where several (of many) cybercrime issues converge:

• Laws: many legal systems still struggle to catch up with cybercrimes
• Plausible deniability: the challenge of proving that a person is the one that used their computer to commit an act (usually a criminal act)
• Attribution: lack of attribution across the Internet impairs the ability to accurately, and with a high degree of confidence, trace internet connections/packets back to their source(s)

When two or more of these elements are combined, the end result is typically a confusing, and potentially indefensible, gathering of forensic data that can both let a criminal “walk” or cause an innocent person to be charged, tried and sentenced.

In any war there is a term known as “collateral damage”. In the war against cybercriminals, the collateral damage is clear and unmistakable. As a society, when we  gain more overall forensic analysis experience and systems are capable of providing more accurate attributable information, we should see a diminishing number of cases of innocent victims and more/stiffer convictions for the bad guys.
   
Jeff Debrosse
Senior Research Director

October is National Cyber Security month. Groups like the National Cyber Security Alliance are promoting awareness of cyber security.

On Tuesday at 11 AM Eastern Daylight Time (8 AM PDT and 4 PM GMT) Department of Homeland Defense Secretary Janet Napolitano will be giving a speech that will be broadcast live at www.dhs.gov.
 
The Secretary will discuss the:
• urgent need to counter the threat of cyber attacks
• shared responsibility for staying safe online
• leadership role DHS is playing on cybersecurity

If you are able to view the speech I think it will be interesting.

Randy Abrams
Director of Technical Education

Recently a security company was hired to test the security of a Credit Union. The security company (MSI) ran a penetration test and mailed a letter with a couple of CDROMS to the Credit Union. The letter appeared to come from a reliable source, but it was unexpected and the employee who received it was well trained and sounded the alarms. The result was that the National Credit Union Administration (NCUA) sent out an alert to their members and the press picked up the story as well.

A penetration test is no test at all if it is expected. The result of this test was that all of the credit Union’s, and many other people, learned a valuable lesson in security.

You can read about what happened, and the explanation of the story at http://stateofsecurity.com/?p=766#comment-19560

Randy Abrams
Director of Technical Education

This is part two of a recent email interview with a Turkish web site, with part one made available here for the benefit of those of us who don’t speak Turkish.

 I’ve done a little editing on parts one and two, primarily for cosmetic reasons.

Question (4): What the golden rules for using the Internet with peace of mind?
 
If I find any such golden rules, I’ll let you know.
 
If there is one golden rule, it’s "Don’t take anything you’re told for granted." There are plenty of people out there – hackers, crackers, scammers, spammers, phishers, 419-ers, botherders, hoaxers – who have no compunction about lying to you in order to get your money, your identity, your World of Warcraft avatar, or just to prove to themselves that they’re cleverer than you are. There are others who have something to sell to you – a product, a service, a web site, subscription to a magazine, a blog – who may not intend to mislead you, but don’t know enough not to mislead you.
 
This, of course, begs the question "so how do you know whose advice to trust?" which I suppose takes us back to that list of resources I need to update. Even then, of course, you might not want to take my word for what defines a good resource.
 
Question (5): What are the main reasons there is so much more cybercrime than there was?How can we prevent these crimes?
 
There are some obvious answers to this question and at least one that isn’t so obvious. Of course, I don’t guarantee that any of them are correct answers.
 
One of the obvious answers is that cyberspace is where more and more of us work (and indeed spend our leisure time). So there’s more money there than there used to be when comparatively few commercial transactions were carried out online.

Then there’s the fact that some facets of internet usage are fundamentally insecure, in the sense that there are all sorts of insecure protocols that allow technical attacks. Also, there are very many transactions that entail no physical encounter and so facilitate some form of masquerading or identity theft, or even an interception attack.

The  less obvious answer is that for some people, it’s easier to make a victim out of someone you never see. Not (only) because they don’t get the chance to check you out in person (face-to-face gives you clues and cues that simply aren’t available online, or so attenuated – eg by webcam – that they’re even less reliable than the hunches you get when you meet someone). Not (only) because if they don’t ever meet you, the chances are they won’t be able to identify you after the crime has been committed. But because unless you’re an out-and-out sociopath, it’s easier to do something nasty to someone when you never see them, or have to think about what they’re like (deindividuation or depersonalization). To me, the psychology of cybercrime is in some ways far more interesting than the technical aspects. Which is why I’ve moved further and further away from hands-on analysis, I guess.
 
So how do we prevent cybercrime? Well, the only way to prevent it altogether is to change human nature. Crime is crime, and it’s inherent in human nature (at least in a world of economic inequality and mental instability). You can attenuate it by education and nurture, by teaching scepticism to the unwary, and by deploying technical solutions. Many security professionals believe that the technical approach is the only one that works, but that isn’t so. None of them work 100% but they all work some of the time. In my experience…
 
Question (6): Finally, can you provide some illustration of your advice on the strength of your personal experiences?
 
Now there’s a question… I didn’t actually intend to get into this area at all. In the 1960s I went to university to read social sciences and psychology, then went on to work in all sorts of areas, from music to the building trade to healthcare. By 1989, I was working in medical informatics/administration and doing a degree in computer science and had suddenly become a de facto information resource on malware. By the end of the ’90s, I actually knew something about malware, and now I actually work in that industry rather than on the fringes of anti-malware research, where I’ve been working for the past 20 years (nearly: I consider my entry into the computer security industry to date from the 19th of December 1989, for reasons that I plan to blog on nearer the time).

But I’m not at all sure how I got here!

David Niven said something in one of his autobiographical books (I think it was "The Moon’s a Balloon", but it might have been the other one) about how he never got over the feeling that at some point someone was going to tap him on the shoulder and say something like "OK, Niven, we’ve sussed out that you don’t know what you’re doing: you can go home now." I know exactly how he felt: I’ve had the privilege of working with some incredibly talented people, and I sometimes wonder why they give me the time of day, let alone such frequent opportunities to open my mouth in public. I guess it’s because I’ve made something of a career out of trying to bridge the knowledge gap between them and the rest of us.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/ 
 

So, back in harness. I’ve been away for a couple of weeks: not on holiday as such, though I did take some days out, but concentrating on writing: it didn’t hurt that I didn’t have a full-strength internet connection to distract me, though.

Before I left, I was interviewed by a Turkish security site. It was an interesting experience in that when I get interviewed by the press it’s usually about something fairly specific, whereas this was more of an "opinion piece". Anyway, I assumed that most of you probably wouldn’t want to go and read it in Turkish, but some of you might find it interesting in English. Well, maybe not.

There were only half a dozen questions, but my answers were uncharacteristically verbose, so I’ll split them across a couple of blogs.

Question (1): Are we afraid of surfing on the Internet?
 
I don’t know, but we probably should be. I wouldn’t really want to see everyone so terrified of the hackers and bogeymen that they won’t make use of all the possibilities for business and social networking that the Internet offers, but we should at least have a healthy respect for the risks that Internet browsing entails.
 
I wouldn’t want to turn everyone with an internet connection into a security geek, either, but we (all of us who pride ourselves on being proficient computer users, not just the security industry) haven’t done a good job of conveying to the wider community a sense of what they should and shouldn’t do in order to stay (reasonably) safe. In fact, that’s an important point: if you know that there’s no such thing as safe browsing, you have a choice. 

• You can throw your hands up in the air and say "I’m never going to use the web because it’s too dangerous"
• Or you can stop thinking about risk elimination and start thinking about risk management. Not in terms of a big corporate exercise in PRINCE project management, conforming with ISO standards, and lengthy risk analysis procedures, but just common sense.
  • "Is it sensible to do my online banking at a hotspot in a city park?"
  • "Should I let someone else use my PC when I’m logged on as an administrator?"
  • "Why is my bank sending me email about a problem with my account addressed to ‘Dear valued customer’ instead of using my name?"

Question (2):  What are your opinions about IT Security?

As Gandhi is supposed to have said about Western civilization, I think it would be a good idea.

Well, of course, we have all the security we can handle, but it’s compromised by a fog of misinformation and mythology, half-understood concepts promoted by the media, politicians and so on: it’s no wonder so many people just look at all the conflicting advice and say "I can’t be bothered with all this. I’m just going to click on this icon…"
 
There’s a famous tripartite data security model: Confidentiality, Integrity, Availability. Of course, all three are vital, certainly to a business or to an individual who uses online services to run his finances. But if you lose Availability, your system has failed, irrespective of whether it’s the Wily Hacker, your ISP, or your director of IT who’s stopped you accessing your own data.
 
Question (3): What advice can you offer about gaining experience in Personal Security?

"How do I get to Carnegie Hall?" "Practice…"
 
At any rate, practice is one way of getting experience in personal security. For many people in my generation and earlier (I had my first email accounts before there was such a thing as the world wide web), it was almost the only option: you learned by experience, and if you were very lucky, you learned quickly enough not to jeopardize your own online health or that of your family, friends and workmates. Of course, there were (mostly academic) training opportunities around. As the web started to come together and the Internet ceased to be an academics’ playground as people noticed and seized commercial opportunities, we began to see a lot more commercial training, of highly variable quality.
 
Actually, as a specialist in anti-malware, my perspective is probably particularly jaundiced. There’s never been much training from within the anti-malware industry (and what there is is nearly all vendor-centric). Unfortunately, there’s not much security training from outside the industry from people who are really knowledgeable about malware management. Some SANS training looks up to the mark though, even though the SANS publicity machine can be pretty AV.
 
So at what level of experience are you thinking of here in terms of your audience?

1. Experienced enough to surf reasonably safely in their spare time?
2. Enough to carry out their daily IT-oriented work safely?
3. Enough to be a security professional?

For categories one and two, there are sites that carry reasonably good information for the non-technical reader. The Anti-Phishing Working Group has good resources at http://education.apwg.org/  with information on phishing, moneylaundering and so on.

ESET is heavily involved with a community project called Securing Our eCity that provides some impartial resources, and we have some white papers, conference papers and so on on our own web site at http://www.eset.com/download/whitepapers.php, most of which are also non-partisan. Many other vendors have similar resources and most of them now cast their nets far wider than antivirus. SANS (www.sans.org) has an enormous range of resources as well as a range of security-related courses, certifications and so on that is a good starting point for some more professional career paths.
 
However, the term security professional covers an awful lot of ground. It took me about 12 pages of the AVIEN Guide to cover just the main training opportunities for someone with an anti-malware/IDS systems leaning, so I’m not going to be able to do the topic justice in an email.
 
Actually, I can’t do justice to any of these areas here. I have done massive lists of useful URLs in the past, but the last one I made public was in 2007: I probably need to update and republish it.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

As I previously pointed out http://www.eset.com/threat-center/blog/2009/08/04/calling-adobe%E2%80%99s-bluff, Adobe is at best deceptive about claims of the security and privacy of Flash.

Even if you do not know what flash is or how to find it, you probably have it on your computer. If you open control panel and go to the “add or remove programs” application you will probably see it listed there. There could be a few entries. There is “Adobe Flash Player 10 ActiveX” for Internet Explorer and “Adobe Flash Player Plugin” for Firefox. In my limited testing, it appears that configuring Flash in one browser takes care of both if you have multiple browsers installed.
If you click on an Adobe Flash Player entry in add or remove programs, then you will see a link that says “Click here for support information”. Clicking that link will bring up a box with the version information. It is a good idea to make sure that you have the most current version.

Flash has had vulnerabilities that were real security problems for people. Flash is installed without regard to user privacy. Flash can be configured, but most people do not know how. In fact you have to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html in order to configure your Flash player.

If Adobe cared about privacy and security then these settings would be presented upon installation. These settings should be configurable from your computer without requiring web access.

Once you go to the settings manager at macromedia.com then you need to go through several steps.

The “Global Privacy Settings Panel” allows you to prevent access to your microphone and web cam, or be prompted each time there is an attempt to access these devices. The panel does not show which option is currently enabled, even after selecting an option.

The “Global Storage Setting” lets you specify how much space a new website can use on your computer. Some space is required at times. Additionally you can prevent 3rd party websites from storing Flash content on your computer by unchecking the box that says “Allow third-party Flash content to store data on your computer. Finally you can choose whether or not to store common Flash components to reduce download time. For more information about these choices, read the information under the settings manager.

The “Global Security Settings” panel allows you to prevent one website from letting another website access your computer. For both privacy and security I recommend against allowing this.

The “Global Notifications Settings” panel will allow you to change the default time period for checking for updates. I set mine to every 7 days since there is not an option to check every day. Given the rash of vulnerabilities recently found in Adobe products it is prudent to update as frequently as possible.
The “Website Privacy Settings” panel allows you to set specific camera and microphone settings for websites you have already visited. If you trust a website that uses your microphone and camera, then let that one access the devices, not all websites.

Finally, the “Website Storage Settings” panel allows you to delete all of the cookies and other stuff you never authorized to be stored on your computer in the first place, and Adobe didn’t think it was important to let you choose if this could happen when you installed Flash.

I choose to be prompted before a site can store data on my computer. I also choose not to let one website let another website access my computer. If it breaks a Flash application then I simply didn’t need that application enough to use it.

Randy Abrams
Director of Technical Education

Dear Adobe,

It is time to put up or shut up. Your web site FAQ http://www.adobe.com/products/flashplayer/security/privacy_policy/faq.html has the following entry:

Does Flash Player compromise my privacy and security?

No. Flash Player is not only the most widely distributed piece of software on the Internet today, it’s also one of the most secure. Given that Flash Player is in use by over 500 million internet users we invest considerable effort into keeping Flash Player safe and secure.

In the past, vulnerabilities in Flash have compromised the security of users. Are you going to guarantee there will be no more Flash vulnerabilities that are exploited?

It seems to me that the statement is misleading. As for privacy, Flash can compromise privacy and most users do not know when it happens or how to prevent it.

How about answering the question “Does Flash Player compromise my privacy and security?” honestly? The honest answer is that it can compromise both.

Randy Abrams
Director of Technical Education

• Data Breaches continue to be a huge problem: Eight-five percent of organizations surveyed had had at least 1 data breach in the last 12 months, demonstrating that there is no let up in breaches as this is consistent with 84 percent sited [sic] in the 2008 report. Companies suffering more than 5 data breaches rose to 22 percent in 2009 up from 13 percent in 2008.
• More than 70% have fully executed or just launched data encryption strategy in their organization. Once again data encryption strategies are being implemented across a majority of the respondent participants. The majority of organizations, 78 percent, have some type of encryption strategy, up from 74 percent in 2008 and from 66 percent in 2007.
• Encryption of data on mobile data-bearing devices used by employees is very important or important. More than 59 percent of respondents say it is very important or important to encrypt employees’ mobile devices – a sign that organizations recognize that valuable data is more mobile than ever.
• On average a company will pay $202 per record compromised, and, in total an average of $6.6M should they experience a data breach.

• Domestic population (census.gov): 307M
• Personally-identifiable records involved in data breaches (privacy rights clearing house): 262.5M
• Domestic Internet penetration rate (internetworldstats.com): 74.4% (251M users)

I was recently reminded of the truism that security is about managing risk. You cannot eliminate all risk. When we think of cyber criminals we tend to think of phishers, criminal gangs writing malware to steal passwords, and eBay scammers. So we try to deal with “reputable” companies to eliminate the risk of theft and fraud, but as you will see, this does not always work out.

Cybercrime is simply crime using computers and/or the internet to commit crimes. There are a variety of variations on this definition, but I think this one works just fine.

Dealing with a reputable company can minimize your risk of fraud or theft, but it does not eliminate it. Before I get to my specific example, it may be useful to explain “Bait and switch”.

Bait and switch is essentially when a company offers a product at one price, but then fails to honor the offer. They may fail to honor the offer by offering an inferior product or by raising the price.

I recently booked a round trip flight from Frankfurt, Germany to Amsterdam, Holland on KLM airlines using the Northwest Airlines web site. Northwest Airlines sent an email confirming my purchase of the flight for the price of $313.63. The next thing Northwest airlines, who incidentally are the same as Delta Airlines now, did was to silently cancel my ticket. Northwest knew that I would be stranded in Frankfurt with my only real option being to pay KLM, who is also Air France, more than twice as much money to make my appointment in Holland.

This appears to be a particularly nefarious bait and switch scam in that the airlines know the customer can’t easily back out of the deal. One might say that it was an accident, but logically if it was an accident then Northwest Airlines would have accepted responsibility for the increased fare and refunded the difference since they were exclusively at fault for not notifying a passenger when they cancel a ticket. I contacted Northwest and their response was that they were sorry, but they would accept no responsibility for their actions. I would guess they have a pretty lucrative kickback scheme with Air France and that the money will be pretty hard to trace.

You can dramatically reduce risk by dealing with well known companies, but you can’t eliminate it. In this case, Northwest Airlines used the internet, which is how I booked my tickets, to perpetrate what appears to be a classic bait and switch scam.

I’ll figure out who the appropriate law enforcement agencies are and see what they think about it. In the mean while, I’ve filed a complaint with the Better Business Bureau.

Randy Abrams
Director of Technical Education
ESET LLC

Microsoft is releasing a beta of their new antivirus product. Previously Microsoft announced that they would discontinue OneCare.

The choice of the name “Security Essentials” is amusing. I’m not in the camp of those who think that you can’t have “Microsoft” and “security” in the same sentence, but just the same, Microsoft does say “If you already have antivirus software installed you probably don’t need this service.” That doesn’t sound much like an essential to me!

The other amusing aspect is that the name is “Microsoft Security Essentials” which is plural. Anti-virus is only one aspect of security.

All jokes about the name aside, Microsoft hopes that their free solution will get people who currently do not use antivirus software to install the Microsoft offering. Given the numerous choices for free antivirus software out there, I do not see how this will be effective, but more power to Microsoft for trying.

I addressed the potential impact of Microsoft entering the antivirus industry at the Virus Bulletin conference back in 2006. Back then I predicted that this would have little impact on the market and it has had little impact, except for pricing. OneCare introduced a 3 PC pricing model that some other vendors have followed. OneCare was almost free and I don’t see a free offering changing the landscape much.

I am reminded of an ad I once saw for Shoei motorcycle helmets. The ad said “If you have a $10 head wear a $10 helmet.”

At ESET we are confident that an abundance of consumers will continue to choose a quality product based upon the track record, performance, effectiveness, and support, rather than simply choosing what is free.

The word “Microsoft” makes this a news story, not much else does though.

Randy Abrams
Director of Technical Education