ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

OK, I'll save the novel for another time.

However, there's a rather less ambitious snippet of my recent writing at http://www.eurograduate.com/article.asp?id=3015&pid=1, an article called "Fact, Fiction and the Internet," and, further to some of my recent posts here, touches on the dangers of social networking.

Though you might think that someone with as many twitter accounts as myself is a fine one to talk about the sparing use of Web 2.0 applications.

The article is part of the run-up to Infosecurity Europe (27th-29th of April) where I'm talking about Mac security. Well, that should ensure lots of friendly email from Mac fanboiz. 

Well, since we all know there's no such thing as a Mac security problem, I guess I'd better go and write some Mach-O Trojans. (Guys, that's a joke!)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

I was speaking with our friend David Perry at Trend Micro about the insecurity of social networking services and what steps users could take to strengthen their security online. In the course of our conversation, we came up with a list of simple steps you could take to better protect yourselves.

• Be careful about whom you befriend. Many social networking services seem to be structured around an online popularity model, making prominent note of how many friends, links, nodes or other connections you have. This is definitely a smart move on their part, since it not only encourages you to spend more time on their site, but it also greatly reduces their marketing and customer acquisition costs, since you do the work for them. Think about whether or not you really need to add that person to your network before linking to them. While it may be fun to be a social butterfly in the real world, it might be better to be something of an armadillo online.
   
• Think before you click. Do not take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. Also, there is an issue as to what happens to shortened URLs over the life of the service. What happens if they get recycled or hijacked and re-pointed to a new malicious web site? Also, what happens if the business goes under and the domain name gets acquired by a malicious (or merely incompetent) organization? Twitter and Bit.Ly use Google’s Safe Browsing API to check for malicious sites, and TinyURL provides a Preview option which allows you to see the address of a web site before visiting it. While these are good security steps, they are not a replacement for protecting your computer with security software. For additional information, see the following ESET ThreatBlog articles: "Shorteners/Redirectors: short of ideas," "Compressed URLs & Twitter," "TinyURL: The Tiny Terror," and "TinyURL and Anti-Spyware Toolbar." 
• It’s a matter of trust. Many social networking sites have APIs (application programming interfaces) that allow developers to create various add-ons, plugins, web applications and programs that connect with the service. Just because a social networking site has security and privacy policies does not necessarily mean that third-party tools have them as well, or that they take them as seriously. Know the difference between a social networking site and applications from other parties used to interact with it, and find out what policies each party has with respect to information you might enter, such as your username and password. 
• Browse differently. Consider using a different web browser to visit social networking web sites. If you normally use the web browser provided by your operating system vendor, consider using one by an independent software provider. While these may not have the same features or look-and-feel as the web browser provided with your operating system, criminals are less likely to take the time to look for exploits in web browsers used by fewer people, and to target them as they do more popular web browsers. Cybercriminals nowadays are in search of a good ROI (return on investment) and it is much more profitable for them to look for holes in a web browser that can be found running on 70% of computers than it is to spend time proving  web browsers used by the remaining 30% of users. 
• Get unplugged. When visiting social networking sites, disable scripting, plugins, Java and Flash and only enable each feature as and when it is needed. Running your web browser in a sandbox or a virtual machine can provide an additional layer of protection as well. 
• Truth is relative, and so are your relatives. Social networking sites often collect a wide variety of biographical information, not just to allow you to reset your password, but to allow people to find each other on their site. This kind of searchable information is a goldmine for identity fraudsters. So, think about the answers to questions you are being asked, and consider when it might be appropriate to lie a little. For example, the answers to questions about birthdays, mother’s maiden names, first pets and the like are commonly used to reset a password. Knowing or being able to find the answers to these types of questions easily makes it easier for someone to steal your identity, even if you aren’t an Alaskan governor running for the office of Vice-President.   If you use false answers, though, consider keeping a small notebook or stack of index cards near your computer to keep track of the data you enter into each social networking site should you ever need to reset your password. For more information about keeping your personally-identifiable information safe, see ESET ThreatBlog article "Honesty Is Not The Best Policy For Password Resets." Keep in mind also that if you aren’t sure of the identity of all your Twitter followers and Facebook buddies, telling the world that you’re on vacation for the next three weeks might be opening the door to a physical intruder. 
• tRuSt_no_1. Use a strong and a different password for each social networking site. If you have a methodology  for creating strong passwords, make sure it is complex and distinctive enough that the accidental disclosure of two or three passwords on social networking sites will not compromise all the others. Because passwords are such an integral part of the computing experience, we frequently discuss them. For additional information you can read the following ESET ThreatBlog articles: "Password Mythology," "Emotions Are Poor Passwords" and "%$^& is Fine for Cussing, But Not a Great Password" as well ESET’s white paper on creating secure passwords, "Keeping Secrets." 
• Dial it up to 11. Many social networking sites offer different levels of privacy and security, and the default values are usually to allow others to see your information and contact or otherwise connect with you. While it may seem like overkill to increase the security so that only your peers and friends can see you and to approve all invitations to connect manually, it actually requires far less effort (and embarrassment) than having to de-louse your computer. And it saves you from having to apologize to all your online buddies about the message they received from your stolen credentials asking them visit web sites containing pictures of naked Hollywood starlets. Note: This may be less of an issue for you if you normally tell your friends to visit these types of web sites. 
• Make friends with The Man. Many social networking sites have an official security web page, group or address that you can follow, join or otherwise befriend. Stay abreast of site-specific security issues by reading what they have to say.  Here are the privacy and security pages for several social networking sites: Digg, Facebook, Friendster, Hi5, MySpace, Orkut, StumbleUpon, Twitter and Xbox LIVE. Keep in mind, though, that the quality of such pages can be highly variable, as is the speed of response from each site. Sometimes, what is best for them commercially may not always be the best for your personal safety. 
• Staying safer in the aether. If you regularly access social networking sites from a wireless connection make sure you have taken appropriate precautions to secure your computer. For more information, see the ESET ThreatBlog article, "Fly By Wireless." 
• Advanced tip: Limiting access. More advanced users and network administrators might want to consider using site blocking to limit access to social networking sites, or at least ancillary sites used by programs that interface with them by way of their APIs. This can be done in many ways, such as blocking through the hosts file, using an RBL (real-time block list) in conjunction with your security software and/or gateway router, or even implementing a pseudo-caching DNS server on your network.

Social networking sites are meant to be fun places where you can network and spend time online with your friends. However, the Internet is just like the real world when it comes to which neighborhoods you choose to spend time in. Keep aware of your surroundings and protect yourself appropriately. For further information about staying safe online, I would suggest, as a jumping off point, visiting Securing Our eCity, a public and private initiative in which ESET and other companies, organizations and agencies participate.

Here are a few rather disconnected items that I intended to blog about last week, but never had time to write up.

First of all, an interview with an adware author from philosecurity.org that went up on 12th January. Excerpt:

"Matt Knox, a talented Ruby instructor and coder, talks about his early days designing and writing adware for Direct Revenue. (Direct Revenue was sued by Eliot Spitzer in 2006 for allegedly surreptitiously installing adware on millions of computers.)"

Secondly, an amusing little item from The Register: apparently one of the authors of the Zlob Trojan thoughtfully embedded an encouraging message to Microsoft into a recent variant:

""Just want to say ‘Hello’ from Russia. You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast. Happy New Year, guys, and good luck!… BTW, we are closing soon. Not because of your work. ) So, you will not see some of my great ideas in that family of software. Try to search in exploits/shellcodes and rootkit."

Wish I could believe it… Apparently this individual also claimed that Microsoft had offered to pay him to work on improving Vista’s Security, unaware of his malware authoring activities. Well, I suppose it might be true, but I can’t help but wonder why so many sources seem to be taking it for granted that someone who writes malware is bound to be telling the truth.

And, finally, a slightly different angle on the perils of twittering (cheep! cheep!) to the spoofing issues we’ve mentioned here over the past week or two. Extract:

"This particular Twitter posting came back to bite the agency person from Ketchum (New York office) who made some unflattering remarks about Memphis this morning before he presented on digital media to the worldwide communications group at FedEx (150+) people."

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

As a Fellow of the British Computer Society (is that the sound of a self-blown trumpet I hear? ) I get daily emails that I often don’t have time to read. Which is a pity, because when I do, I often find an interesting nugget. Sometimes I even get a paper magazine (remember those?) through the post, as I did this morning. Not primarily security, of course, but not irrelevant either.

One of the items that caught my eye was an item on a new group looking at the future of computing. Well, that’s an area we’re pretty interested in here, too, of course, so I looked a bit further. It turns out that there’s a founding panel consisting of Dave Cliff (a professor of computer science with a background in AI research), Zoe Lock of the Technology Strategy Board, Kieron O’Hara (a senior research fellow at the University of Southampton and the author of a number of books including "Plato and the Internet"), and Chris Yapp, senior strategy consultant at Capgemini.

The group is starting off with a "FutureTech.FutureSoc" blog covering topics like complexity, business and society, and web sciences. Not many entries up there at the moment, but those that are look pretty interesting. The most recent post, by Chris Yapp, talks about a recent book by Don Tapscott, author of "Growing Up Digital"  that I haven’t read yet, but certainly intend to now.

 If you’re interested enough to take a look, you might also want to check out the other BCS blogs especially the quirky oddIT blog, the security blog, and the ethics blog. Like all volunteer efforts, the posts seem fairly sparse, but much of what there is thought-provoking. See you there, maybe?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence.

It occurs to me that I should make it clear that this "top ten" isn’t in any particular order. Like the other "top ten" suggestions by the research team that are likely to find their way here in the near future, they’re all significant issues that need thinking about.

Point 9 (a short one!) is, don’t connect to just any “free Wi-Fi” access point: it might alter your DNS queries or be the “evil twin” of a legitimate access point, set up to intercept your logins and online transactions. (When I have occasion to see what networks are being offered me in hotels, airports, even in the apartment block where I live, I have to wonder how many of them are legitimate…)

Let’s go back to a previous point, though, about issues with LinkedIn and other "Web 2.0" resources. In that particular blog, we were talking primarily about giving out sensitive information in public forums. However, if there’s one thing that’s become obvious in the past few days, it’s that there are many other security issues with sites like Twitter and LinkedIn. Here’s a link to an article about the association of fake LinkedIn profile pages with malware.

Let’s be careful out there.

David Harley BA CISSP FBCS CITP