Security news lately is starting to sound like an episode of CSI these days. Death, muggings, theft rings, racketeering, rogue phone taps… it’s the juiciest of evening news fodder!!

Today brings three articles pertaining to the real effects of cybercrime and its implications for the future. The first article discusses arrests that have been made due to the TJX and Polo Ralph Lauren data breaches, and why this was such a lucrative target. The second is a detailed account of a rogue wire-tap in a Greek cellphone provider’s network. The third deals with virtual muggings and the possibility of very real racketeering in Second Life.

To me, there are two things that stick out as particularly important messages:

1. Technology is far outpacing our ability to deal with its implications.
2. Cybercrime is simply crime and should be treated accordingly.

It’s been said a million times, but it bears repeating: The internet is very much the new “Old West”. We’re in a state of almost total lawlessness, because we have not yet found efficient ways to find and bring criminals to justice. And it’s not just Netizens who’re being harmed by cybercrimes. The victims of the TJX data breach were people who’d visited their brick and mortar stores. So, why is it that security has become such a monumentally complicated issue?

1. Incredible financial incentive
2. Lack of knowledge
3. Lack of data retention
4. Lack of cooperation

Put simply, the return on investment for cybercrime is enormous. The chance of being harmed in the process of crime is little to none, the time-span before the crime is noticed is longer, and arrests are still reasonably rare.

Both hardware and software change on a rapid basis. Being an expert on even one operating system is a never-ending learning process, and as a result the number of true experts is very few (especially when you consider how many are truly needed). Few governments, corporations or individuals adequately understand or prepare for cybercrime incidents. The “Athens Affair” and TJX incidents illustrate this in living color.

Because it is simply unfeasible to be an expert on more than a narrow range of computing knowledge, it’s of utmost importance for us to cooperate. E.g. Security companies working with ISPs and Law Enforcement, different departments within government bodies, companies or law enforcement agencies working with each other, etc. It’s the knowledge that comes through this cooperation which will be the most vital piece of the puzzle in finally getting cybercrime under control.

For every person reading this blog, here are some questions I put to you:

What is it you are doing, or could be doing, to share information to help end cybercrime? Do your friends and neighbors, your family, your political officials, or your company understand the importance of preparing for or dealing with cybercrime?

Now that that the dust is well and truly settled on the DRM rootkit fiasco, Sony is suing the company who made the XCP software which was at the center of this controversy. The suit accuses the company (now called Amergence), of negligence, unfair business practices and breaching the terms of its license agreement.

While I can’t comment on the terms of their license agreement, I find “negligence” and “unfair business practices” to be stretching things a bit. What exactly were they negligent of? Did they fail to keep abreast of the fine line between being malware and merely annoying? Regardless of what side of the DRM/piracy argument you find yourself on, DRM software effectively exists to limit people’s access to or use of files on the CD or computer. It seems that they succeeded admirably in that regard. I’m not even going to touch the question of unfair business practices, as that gets too far into the question of whether DRM is a fair business practice to begin with.

That being said, the thing that really sets this apart from other DRM methods was that it installed files to the local machine, whether you agreed to installation or not. Was this an oversight or intentional, in order to keep files inaccessible while the EULA screen was displayed? I’ll be interested to see if they’re able to prove this one way or the other.

I guess the moral of the story is that more companies than just those directly related to software should be paying attention to the definitions of “Potentially Unwanted Technologies”.

Yes, PDF spams are now quite a common thing.

Now in an attempt to bypass detection and add other features, the miscreants are starting to add the use of crypto to the PDF files. We are starting to see new PDF spams that were ‘encrypted’ with a (unregistered) version of pdfcrypt…

The easy way to recognize it is a big yellow square before the actual spam message…and the ‘Please Register this Version of PDFcrypt’ message…

Months after months, we receive new password stealers and keyloggers. They enlarge our collections. When they arrive in our hands, some are already generically detected while others must be added into our DAT files. All are itemized and contribute to the global increase of malware which you can observe on our DAT Readme Web page.

In a recent Identity Theft white paper, I made a first count and established the number increased by 250% between January 2004 and May 2006. In order to update that figure, I established some new and more accurate lists.

By and large, when June ended, malware classified in that category came close to 35,000. If the trend goes on, we will reach 45,000 items at the dawn of the next year.

With the load of malware we see, many of them are classified as “such or such” generic PWS families. However, when it is possible or needed we categorize them more precisely. In December 2006, I explained that collecting data to gain access to Massive Multi-Player Online Role Playing Games (MMORPG) and others social networking communities were highly valued activities. Less known than banking fraud, this activity can be very profitable.
The next charts summarize the 5 main families for which we added new items in 2007.

At McAfee Avert Labs the main PWS families are the following :

Crooks not only win money by collecting, selling or using usernames and passwords from online banking and e-commerce. There is more and more talk of a virtual economy and electronic cash. Some, like Second Life or Entropia Universe, boast about having brought about success stories or rich virtual account holders who have seen their fortune grow into a million actual dollars. Blizzard recently banned more than 5,000 World of Warcraft accounts that were suspected of participating in gold farming activities. eBay made decision to stop posting virtual object property auctions apart from Second Life.

When the money circulates, it attracts greed. These latest figures confirm this trend. The bridge between virtual economy and real economy is generating a new form of crime and a new form of illegal profit.

How well can you spot phishing sites? Many of the readers of this blog are pretty savvy when it comes to security issues. So, we’ve created a deceptively easy but devilishly hard 10-question phishing quiz. Are you up to the challenge?

Our Phishing Quiz follows on the heels of our Spyware and Spam quizzes. More than 120,000 test results later, we can safely say that we have a lot of work left to do. The average score for the spyware quiz was 59%. For the spam quiz, 55%.

MailFrontier published the first phishing quiz back in 2004. Given the persistence and mutability of this plague, we thought it was time to revisit the issue. Whether it’s rockphishing, or Flash phish, or MySpace scams, phishing continues to evolve and ensnare both the ignorant–the people who don’t know better–and the arrogant–the people who should know better. And victims continue to lose real money. According to Gartner, per-victim losses soared to $1,244 in 2006 from $257 in 2004. That’s nearly a five-fold increase.

We encourage folks to share the quiz with friends and family. Use your expertise and the opportunity presented by the quiz to benefit from some of our hard-earned collective knowledge about phishing. Who knows? Together, we might even save a few people from getting hooked.

If you visit today the Infosecsellout blog, you will see a blog entry announcing a new Apple Mac OS X vulnerability and a link to the SecurityFocus web site.

There is no detail, but the title suggests that a Mac worm could be created by using that vulnerability. Also there is no mention of the author.

As we were researching this announcement we soon discovered that more accurate and interesting information was originally posted–but rapidly removed–on that blog. If you visited it on Sunday, you were able to read a note from the man who claims to be the worm author. His motivations were clearly visible: “I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this”.

In this blog entry, the possible author gives some details about its proof of concept, which could be easily changed to be more malicious.

He said his code uses a non patched variation of the MDNSResponder vulnerability recently fixed by Apple. According to this guy, the worm gives remote root access, compromises its first system, places a text file on the desktop and moves on to attempting to compromise other systems on the same network.

This story prove both things: the first is that Macintosh with Intel is an interesting target. Real outbreaks are more than ever possible. The second is that the lure of money motivates many people more or less scrupulous. It is another cause for concern.

Cross-site scripting (XSS) is as a type of vulnerability typically found in web applications, which allows code injection by malicious web users into the web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

One of the older stories of XSS worms dates back to 2002, where there were claims of XSS flaws in hotmail which could be exploited to broadcast e-mail to all the people in the address book of the infected user. Last year there was a surge in worms targeting websites with XSS flaws like Samy and Yamanner.

With the advent of many popular websites that post XSS cheat sheets online and its constant updates could make the hackers cognizant of the XSS filters and the possible ways of evading them. To add to the woes are “Javascript XSS Scanners” which are automated tools for finding cross-site scripting vulnerabilities in web pages.

XSS worms are becoming more and more sophisticated. Lately there’s been a lot of attention on this POC worm which goes by the name Nduja. The worm spreads by exploiting cross-site scripting vulnerabilities in 4 leading webmail providers.

The life cycle of Nduja worm is similar to a classic e-mail worm and is capable of:

1. Harvest e-mails present in the Inbox.
2. Collecting the contacts email addresses from address book.
3. Self Propagate to the contacts.

Recent advancement towards this side is the creation of a hybrid worm which involves client side and server side component. The technology uses XSS tunneling. Portcullis Computer Security have published a whitepaper describing in detail about XSS tunneling. A typical attack scenario (also described in the paper) is as follows:

1. An attacker infects a website with a persistent or reflected (temporary) XSS attack which calls remote XSS Shell JavaScript.
2. The Victim follows a link or visits the page and executes the JavaScript within that domain.
3. The Victim’s browser begins to perform periodic requests to the XSS Shell Server and looks for new commands.
4. When the victim browser receives a new command such as it is processed and returns the results to the XSS Shell.
5. The Attacker can push new commands to victim(s) browser and view the results from the XSS Shell administration interface.

Could this technology transform into a XSS based botnet? Keep your eyes peeled on this space while we will keep you posted with updates as it happens.

I had a recent encounter with online fraud and social engineering that was unusually complex.

I was selling an item on eBay. The item was brand new, and retails for $250. So, imagine my surprise when I received the email announcing the auction ended with a winning price of $395!

This was followed about two hours later by another email from eBay, notifying me that the auction had been canceled due to fraudulent bidding.

I didn’t think much of it, other than being mildly frustrated at later having to relist the item and wait for another auction to complete.

The next day I received a poorly constructed fake PayPal “confirmation” email, showing that the winner of the auction had sent me funds, not only for $395, but with an additional $100 for shipping! The terms at the end were distinctly out of synch with the actual PayPal process (warning of account cancellation unless the item was shipped and tracking number sent, and the highly suspect paypal.enquiry@OfficeEmail.net address specified for communiations). The shipping address for the item? A location in Nigeria.

What I found interesting was that the hyperlink to the eBay item included in this fake payment email pointed to the United Kingdom version of eBay and with a completely different item number. That auction had been pulled as well by the time I recieved the email, so I couldn’t examine what was going on. My suspicion is that my original auction posting may have been duplicated in hopes that it would remain if the original auction was discovered as fraudulent and canceled. (BTW, kudos to eBay for quickly identifying and canceling both!)

About an hour after this fake payment message, I got an email from the “winner” of the auction:

Hot on the heels of this, I next received what ended up being the final communication:

Although the whole endeavor lacked a lot in establishing authenticity, I was intrigued by the different elements that were used in the attempt. To sum up, we have:

1. Fraudulent bidding to push an eBay item well beyond its reasonable value, along with…
2. Possible duplication of the auction posting in an attempt to support…
3. A fraudulent PayPal notice, which includes social engineering elements of both additional money and threatened account suspension, followed by…
4. Multiple communications from the auction “winner” that also include both negative (threatening to involve law enforcement) and positive (offer of possibly even more money beyond the already ridiculously inflated price) social engineering elements.

That’s a good amount of work to go through to get a hold of my $250 item! Nonetheless, I could imagine more sophistcated versions of such a multipronged fraud attack being disturbingly effective.

As recently as five years ago, most of us probably communicated electronically only through either e-mail or phone. If someone wanted to pry into these communications, they had to tap our phones, steal our phone records or hack our e-mail accounts. But today, we voluntarily leave bits and pieces of our personal lives scattered all over the Internet. From elaborate profiles on social networking sites (such as Facebook, which, for example, has experienced a growth explosion in Australia as of late) to innocuous comments on personal blogs of others, we publish our likes and dislikes, our affiliations, political views and even our day to day routine for pretty much the whole world to see. In fact, younger Internet users appear to be leading the way. And it’s not all just play either. We increasingly rely on sites like Seek, monster.com and LinkedIn to advance our careers as well. These days, not only do we seem to leave a part of our digital personality wherever we spend a lot of time online, but we also seem to bundle a much greater part of our lives into this digital personality.

Now, is it too much of a stretch to imagine digital identity thieves and other fraudsters working hard, even as we speak, using the awesome power of modern search engines to put together these various online clues to piece the puzzle that is the digital you? I think not! I believe that this is already happening on a wider scale than any of us would like to believe. We’ve made it easier for anyone to discover who we are and increased their chances to get acquainted with us, no matter where in the world they are. Especially with social networking sites and online dating sites, shady characters could easily work their way into our trust gradually, starting off as a “friend of a friend of a friend” or a potential love interest. From the stories I’ve heard, this seems to be taking place a lot more than I would have considered to be the case.

To compound the issue, online services are becoming extremely complex. With a diverse set of functionalities and the ability to “host applications” or mash-ups, these online platforms are getting as complex as operating systems themselves. What does this all mean? Well, it means that online service are increasingly becoming exposed to various attacks like Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) not to mention the oldest trick in the book - social engineering. Unfortunately, traditional anti-virus software, personal firewalls or host-based intrusion prevention products sometimes are not very well suited to address some of these threats at present.

Our online world is changing and it’s changing fast. With the explosion of exciting new possibilities also come a set of unfamiliar risks. So what do we do? Do we curb our enthusiasm and say no to progress? Not at all. Fear is hardly the solution. All we have to do is to be a bit more proactive about our online security. Make sure we educate ourselves on the latest threats. Think twice about what personal information we share online and with whom. If you happen to notice something “fishy” going on, please notify someone who could look into that. While the security industry is moving fast, innovating new technology to provide better protection, you are still the single most important contributor to online security; both yours and ours that is.

Be safe and have a great social computing experience!

The Apple iPhone was released in the USA on 29 June 2007. Running a stripped down version of OSX makes it very powerful but might also opens the door for malware exploits.

There’s no SDK – Software Development Kit to create native applications on the iPhone device itself, instead Apple seems to want Safari based applications. Developers need to create applications for the iPhone via Web 2.0-based technologies such as Ajax to run on the Safari browser. Web 2.0 applications can access the iPhone to make phone calls and send e-mails. This also might be exploited/abused by malware.

On the other side, the inability to change native Operating System files would make malware creation less tempting. It also means that AV vendors don’t have easy access to direct low level OS system hooks to quickly create and change programs such as on-access scanners etc. Apple decided to launch exclusively with AT&T and at the moment it is not possible to use any other arbitrary simcard with the iPhone. Not many people want to be bound to that contract so there are many projects going on to get around that. Result is that many people are using hacks to activate it. So the iPhone will not be able to make use of your own sim-card and just may be a very expensive iPod! But if people succeed in cracking it then even more people will think about using that crack. Needless to say that this is a huge security risk also. So the exclusive right deals might have a negative impact on security.

While Apple can control content that’s posted on it’s own iTunes website,
it can’t do much with say podcasts with weblinks to adware/malware websites that
are posted to arbitrary websites such as YouTube. Since the Apple iPhone will support
YouTube videos the chance that podcasts/video’s with clickable questionable/malicious weblinks may appear is certainly not zero. The Apple iPhone can access YouTube’s content by using the WiFi or EDGE (using AT&T) connections.

Merely a week after it’s official release on 29 june, on 3 july 2007 the first bugs were discovered. Abusing a Safari web-browser exploit it might be possible to retrieve someone else’s voicemail due to the “easiness” with which one can spoof the caller id of the provider AT&T/Cingular. At the time of this writing, it did not even ask for a password. The iPhone’s root password can also be cracked, the continual bane of passwords overall.

On 23 July 2007 an exploit was discovered which could lead to attackers taking over an iPhone if an malicious website is visited. The malicious website would publish some exploit code to the iPhone which would result in the attackers being in full control over all of the iPhone’s functionality; transmitting files, making phone calls etc. Read those full stories below:

http://www.exploitingiphone.com/
http://www.securityevaluators.com/iphone/

It is to be hoped that such exploits remain proof of concept, allowing the hardware/software vendors to come up with fixes, and that such exploits are not put online/available to the public.