March 4, 2010 p2A, USA TODAY

The Koobface worm is a case study of how swiftly cybercriminals react to emerging trends. Koobface first appeared in the fall of 2008 just as social networks were getting hot. Its creators initially sent Facebook users friendly messages asking them to click on a link to see a video.

Doing so called up another message asking the recipient to click on an executable file — a small computer program — needed to upgrade a video player required to view the video. In a classic bait-and-switch, clicking on the file instead turned over control of the PC to the attackers. The worm then automatically sent similar viral messages from the victim’s account to his or her Facebook friends.

TECH THREAT: How cybercriminals invade social networks, companies

Persuading someone to click on the malicious file was huge; it meant the victim was intentionally choosing to run the bad code. So no actual hack of the computer’s hard drive was needed. “They’ve tricked you into doing their dirty work,” says Chet Wisniewski, senior analyst at anti-virus firm Sophos.

Koobface’s controllers continually refine their pitch, often tying come-ons to celebrity news; they’ve pioneered new ways to quickly alter the bad code just enough to counteract antivirus filters designed detect malicious programs and block them.

And they’ve aggressively extended their attacks to large and small social networks, including MySpace, Twitter, Hi5, Bebo, MyYearbook and Friendster. “Their inventiveness is astonishing,” says Sergei Shevchenko, senior researcher at anti-virus firm PC Tools.

Thus far, the gang has been content to generate revenue mainly by routing promotions for worthless anti-virus protection or fake drugs to each computer they infect. “The business model is simple, ‘low-effort, quick money,’ ” says Shevchenko.

But there is little stopping Koobface’s controllers from renting out infected PCs to other criminals, a common practice. “Horse-trading between botnet operators may result in changes in the way the victim’s computer is used over time,” says Gunter Ollmann, vice president of research at security firm Damballa.

USA TODAY  P. 1A 04Mar2010

SAN FRANCISCO — “Hey Alice, look at the pics I took of us last weekend at the picnic. Bob”

That Facebook message, sent last fall between co-workers at a large U.S. financial firm, rang true enough. Alice had, in fact, attended a picnic with Bob, who mentioned the outing on his Facebook profile page.

So Alice clicked on the accompanying Web link, expecting to see Bob’s photos. But the message had come from thieves who had hijacked Bob’s Facebook account. And the link carried an infection. With a click of her mouse, Alice let the attackers usurp control of her Facebook account and company laptop. Later, they used Alice’s company logon to slip deep inside the financial firm’s network, where they roamed for weeks. They had managed to grab control of two servers, and were probing deeper, when they were detected.

Sidebar: How the Koobface worm is evolving to keep bad guys ahead

Intrusions like this one — investigated by network infrastructure provider Terremark — can expose a company to theft of its most sensitive data. Such attacks illustrate a dramatic shift underway in the Internet underground. Cybercriminals are moving aggressively to take advantage of an unanticipated chink in corporate defenses: the use of social networks in workplace settings. They are taking tricks honed in the spamming world and adapting them to what’s driving the growth of social networks: speed and openness of individuals communicating on the Internet.

“Social networks provide a rich repository of information cybercriminals can use to refine their phishing attacks,” says Chris Day, Terremark’s chief security architect.

This shift is gathering steam, tech security analysts say. One sign: The volume of spam and phishing scams — like the “LOL is this you?” viral messages sweeping through Twitter — more than doubled in the fourth quarter of 2009 compared with the same period in 2008, according to IBM’s X-Force security research team. Such “phishing” lures — designed to trick you into clicking on an infectious Web link — are flooding e-mail inboxes, as well as social-network messages and postings, at unprecedented levels.

An infected PC, referred to as a “bot,” gets slotted into a network of thousands of other bots. These “botnets” then are directed to execute all forms of cybercrime, from petty scams to cyberespionage. On Tuesday, authorities in Spain announced the breakup of a massive botnet, called Mariposa, comprising more than 12 million infected PCs in 190 countries.

Three Spanish citizens with no prior criminal records were arrested. Panda Security, of Bilbao, Spain, helped track down the alleged ringleader, who authorities say has been spreading infected links for about a year, mainly via Microsoft’s free MSN instant messenger service.

“It became too big and too noticeable,” says Pedro Bustamante, senior researcher at Panda Security. “They would have been smarter to stay under the radar.”

What happened to Bob and Alice, the picnickers at the financial firm, illustrates how social networks help facilitate targeted attacks. As a rule, tech-security firms investigate breaches under non-disclosure agreements. Honoring such a policy, Terremark used pseudonyms for the affected employees in supplying USA TODAY with details of what happened at the financial institution.

Investigators increasingly find large botnets running inside corporate networks, where they can be particularly difficult to root out or disable. “Social networks represent a vehicle to distribute malicious programs in ways that are not easily blocked,” says Tom Cross, IBM X-Force Manager.

Koobface gold mine

The attacks run the gamut. In just four weeks earlier this year, one band of low-level cyberthieves, known in security circles as the Kneber gang, pilfered 68,000 account logons from 2,411 companies, including user names and passwords for 3,644 Facebook accounts. Active since late 2008, the Kneber gang has probably cracked into “a much higher number” of companies, says Tim Belcher, CTO of security firm NetWitness, which rooted out one of the gang’s storage computers.

“Every network we see today has a significant problem with some form of organized threat,” Belcher says. The Kneber gang “happened to focus on collecting as many network-access credentials as possible.”

Stolen credentials flow into eBay-like hacking forums where a batch of 1,000 Facebook user name and password pairs, guaranteed valid, sells for $75 to $200, depending on the number of friends tied to the accounts, says Sean-Paul Correll, researcher at Panda Security. From each account, cyberscammers can scoop up e-mail addresses, contact lists, birth dates, hometowns, mothers’ maiden names, photos and recent gossip — all useful for targeting specific victims and turning his or her PC into an obedient bot, Correll says.

On the high end, the Koobface worm, initially set loose 19 months ago, continues to increase in sophistication as it spreads through Facebook, Twitter, MySpace and other social networks. At its peak last August, more than 1 million Koobface-infected PCs inside North American companies were taking instructions from criminal controllers to carry out typical botnet criminal activities, says Gunter Ollmann, vice president of research at security firm Damballa.

In another measure of Koobface’s ubiquity, Kaspersky Labs estimates that there are 500,000 Koobface-controlled PCs active on the Internet on an average day, 40% of which are in the U.S., 15% in Germany and the rest scattered through 31 other nations. “The personal information employees post day-by-day on Facebook is turning out to be a real gold mine,” says Stefan Tanase, a Kaspersky Lab senior researcher.

Facebook, the dominant social network, with 400 million members and therefore the biggest target, says recent partnerships with Microsoft and security firm McAfee to filter malicious programs help keep compromised accounts to a small percentage. “We are constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links, and help people restore access to their accounts,” says spokesman Simon Axten.

Still, social networks have grown popular because they foster open communication among friends and acquaintances, which plays into the bad guys’ hands, says Eva Chen, CEO of anti-virus firm Trend Micro.

“These new communication platforms are where people go, so that’s where the hackers are going,” Chen says.

Meanwhile, discussions about restricting workplace use of social networks and training employees to be more circumspect are just beginning to percolate at venues like the big tech security trade show here this week sponsored by RSA, the security division of EMC. “Most larger businesses simply ask employees to watch their time spent on social-networking sites,” says Ollmann.

A noisy attack

Each infected PC in a corporate network represents a potential path to valuable intellectual property, such as customer lists, patents or strategic documents. That’s what the attackers who breached Google and 30 other tech, media, defense and financial companies in January were after. Those attacks — referred to in security circles as Operation Aurora — very likely were initiated by faked friendly messages sent to specific senior employees at the targeted companies, says George Kurtz, McAfee’s chief technology officer.

The attack on the picnicking co-workers at the financial firm illustrates how targeted attacks work. Last fall, attackers somehow got access to Bob’s Facebook account, logged into it, grabbed his contact list of 50 to 60 friends and began manually reviewing messages and postings on his profile page. Noting discussions about a recent picnic, the attackers next sent individual messages, purporting to carry a link to picnic photos, to about a dozen of Bob’s closest Facebook friends, including Alice. The link in each message led to a malicious executable file, a small computer program.

Upon clicking on the bad file, Alice unknowingly downloaded a rudimentary keystroke logger, a program designed to save everything she typed at her keyboard and, once an hour, send a text file of her keystrokes to a free Gmail account controlled by the attacker. The keystroke logger was of a type that is widely available for free on the Internet.

The attackers reviewed the hourly keystroke reports from Alice’s laptop and took note when she logged into a virtual private network account to access her company’s network. With her username and password, the attackers logged on to the financial firm’s network and roamed around it for two weeks.

First they ran a program, called a port scan, to map out key network connection points. Next they systematically scanned all of the company’s computer servers looking for any that were not current on Windows security patches. Companies often leave servers unpatched, relying on perimeter firewalls to keep intruders at bay. The attackers eventually found a vulnerable server, and breached it, gaining a foothold to go deeper.

A short time later, the attackers were discovered and cut off. One of Bob’s Facebook friends mentioned to Bob that the picnic photos he had sent had failed to render. That raised suspicions. A technician took a closer look at daily logs of data traffic on the company’s network and spotted the vulnerability scans.

Terremark’s Day says two or three collaborators, each with different skill sets, most likely worked together to pull off the attack. “They were noisy about how they went about this,” says Day. “Had they been quieter they would’ve gotten much further.”

The FTC put nearly 100 companies and agencies on notice that their employees appear to be regularly leaking large amounts of sensitive customer and employee data on popular P2P networks

The FTC did not name names, either of the victimized organizations or of the P2P networks. But the problem is well-known in tech-security circles. And it appears to be exacerbated by rising d0-more-with-less demands on being placed on employees.

“Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure,” says FTC Chairman Jon Leibowitz. “Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Data leaking from home PCs

This is a long-debated concern on which studies have been done and for which Congressional hearings have been held. The basic problem has to do with well-meaning employees taking company files home and loading them on their personal PCs to work on.

If that PC is subsequently used to download free music or videos at LimeWire, Kazaa or dozens of other P2P networks — and the user is not careful about configuring the download — work files can get exposed to all users of the network.

“It sounds preposterous, but sensitive information leaking out unintentionally like this is amazingly common,” says Eric Johnson, director of digital strategies at Dartmouth’s Tuck School of Business. “Look at the file sharing networks and you’ll find people exposing things all the time.”

In fact, data leakage via P2P networks has become so commonplace that there are cybercrime gangs who specialize in continually searching P2P sites for sensitive work documents. FTC investigators easily found health-related information, financial records, drivers’ license and social security numbers accessible on P2P networks — “the kind of information that could lead to identity theft,” says Leibowitz.

The FTC is conducting “non-public investigations” of other companies whose data are turning up on P2P networks. It also today released new education materials to help companies deal with the problem.

Doing more with less

A big driver of the problem is the fact that many employees today are under intense pressure to take on tasks previously assigned to others who’ve been laid off in the down economy.

Striving to produce more, employees feel compelled to take work home and use their own equipment and network hookups to complete assignments, says Lisa Sotto, head of privacy and information management at New York law firm Hunton & Williams.

Sotto says companies need to establish and enforce policies relating to the access and use of sensitive company data, and train employees on best security practices.

“Awareness is critical,” she says. “A lot of people don’t know that there is a problem.”

The FTC is calling on the  roughly 100 organizations whose data it found littering p2p sites to  identify affected customers and employees and “consider whether to notify them that their information is available on P2P networks.” The agency pointed out that most states and federal regulatory agencies have data breach notification laws requiring such disclosure.

By Byron Acohido

Both involved nothing-out-of-the-ordinary cyberattacks that quixotically rose above the din to grab international headlines.

The mainstream attention is welcomed. It helps to underscore how the Internet underground has advanced to the point where a plethora of powerful hacking tools and services  is readily available to  novice hackers and elite crime gangs alike –  with  prices  to fit every budget.

“Hacker have more options and are getting better at execution,” says Don Jackson, senior researcher at SecureWorks. “The script kiddie of today is much more dangerous that the script kiddie of five years ago, or even one year ago.”

Pricing of hacking tools

In Operation Aurora, Chinese hackers sent targeted messages to specific senior managers at 30 corporations luring  them to click on a corrupted Web link. Clicking on the link activated a  hacking tool designed to tap into a fresh zero-day vulnerability in Internet Explorer browser.  The crooks likely paid $5,000 or maybe more for this  cutting-edge malicious code.

Such zero-day attacks have long become commonplace, of course. The template for zero-day attacks  dates back to December 2005, and the antics of the  Russian iframeCash.biz gang, led by Andrej Sporaw. The enterprising  Sporaw and company  flushed out a fresh zero-day hole in a Windows operating system component, called Windows metaframe file, and began exploiting the WMF hole to launch pop-up ads for early versions of scareware. You can read about that in this chapter of my book, Zero Day Threat: The Shocking Truth About How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity.

In the Chinese zero-day attack last month,  one of the targeted corporations happened to be Google — in a mood to complain. The search giant cried foul, igniting an international brouhaha over how China does business.

By contrast, the Kneber botnet gang paid nothing for the powerful, simple-to-use ZeuS hacking tool they’ve been using to harvest account logons from tens of thousands of botted PCs inside hundreds of corporate networks. The version they used has for months been readily available for free on criminal forums.

ZeuS is best known as a widely popular banking Trojan. Current versions of ZeuS sell for up to $10,000, and are used by elite cyber gangs to wire funds from of the online banking accounts of small- and medium-sized businesses, as LastWatchdog recounted in this investigative story. But older, free versions of ZeuS work just fine for turning an infected PC into a bot and harvesting all the PC’s account logons that are stored in Web browser cookies,  says  SecureWorks’ Jackson.

To bot PCs with their free copy of Zeus, the Kneber gang most likely is patronizing spamming specialists to send out email lures and enticing Facebook messages and Twitter tweets enticing them to click on a corrupted Web link. The cost: as low as $10 per 100,000 spammed messages.

Those fooled into clicking on the link got the Kneber gang’s free copy of ZeuS installed. The gang probably spent something on the order of $300 to $1,000 to rent an Internet-connected server on which they collected and stored the harvested account logons delivered by their fresh  bots.

Drawing notariety

It was this command & control/storage server that  NetWitness tracked down and accessed in late January. NetWitness’ report on what it found — 68,000 account logons stolen from 75,000 botted PCs in 2,411 corporate networks in 196 countries — drew big headlines in the Wall Street Journal and New York Times. Journal tech security beat reporter Siobhan Gorman reported that the affected companies included Merck, Cardinal Health, Paramount Pictures and Juniper Networks.

NetWitness’ media coup  sparked some sniping from rival tech security vendors McAfee and Symantec; each cast aspersions on NetWitness’ characterizations of the significance of its findings. NetWitness shot back with this point-by-point response.

Competitive bickering aside, the fact is any capable researcher could have similarly tracked the Kneber gang’s activities, since they put no effort into stealth. NetWitness went one big step further and exfiltrated stolen data from the gang’s server. Still,  “compared to other ZeuS operations, this was minor league,” says Jackson.

Gunter Ollmann, research director at Damballa and a leading botnet expert, says ZeuS is like the iPhone of hacking tools, spawning a multitude of third party plug-in applications. “There are plenty of tutorials and scripts available for criminals to copy and learn from,” says Ollmann. “Think of ZeuS as a Swiss Army knife with a Lego interface.”

Amateurs are getting more widely involved in harvesting data because there is a rich and robust market for valid account logons, which dangle like candy in the Web browsers of workplace laptops and PCs. And it remains true that many people use the same username and password to gain access to multiple accounts, security experts say.

“There has always been a market for stolen data,” says Frank Kenney, VP of Global Strategy for Ipswitch File Transfer. “Today, the speed at which that information gets leveraged is astounding.”

Corporations are having a difficult time keeping up.

“Most organizations do not have the continuous, real-time monitoring in place to detect this type of activity,” says Phil Neray, vice president of security strategy at IBM’s Guardium subsidiary. “Many of them still focus on defending network perimeters … others focus exclusively on meeting compliance checklists, forgetting that the true mission of security teams is to protect high-value corporate data.”

By Byron Acohido

Coming on the heels of  Facebook’s controversial privacy-setting revamp,  the launch of  Buzz has enervated privacy advocates and cybersecurity experts. They’ve long been voicing  concerns about how tech giants seem bent on  lowering the bar for defacto privacy and security, motivated by profit.

” Facebook and Google understand that social media marketing and advertising will be key to generating substantial revenues,” says Jeff Chester, executive director of the Center for Digital Democracy.  “They are driving the default settings for  social data collection and use.  Privacy advocates need to get regulators in the United States and Europe to take a tough stand.”

The Electronic Privacy Information Center has been doing just that.  EPIC today, 16Feb2010, filed this  formal complaint about Buzz with the  Federal Trade Commission. EPIC contends Buzz  violates user privacy expectations, diminishes user privacy, contradicts Google’s own privacy policy, and may also violate federal wiretap laws. Last December, EPIC filed this similar  complaint, signed by eight other privacy and consumer groups, asking the FTC to investigate Facebook’s revamped privacy settings.

“Both companies have broken promises to their users about how personal information would be used,” says says Marc Rotenberg, executive director. “They did so in ways that were misleading, unfair, and deceptive. These are serious concerns for any user of these services.”

Algorithmically-growing community

You may recall that Facebook last December revamped its privacy settings. The company maintains that the revisions mainly gave users more flexiblity. But the changes also made it easier for Facebook to expand the volume of user-generated content it is able to feed into real-time search results, a hot new functionality on Google, Microsoft Bing and Yahoo Search.

Then last Tuesday, Google piggy-backed Buzz — a hybrid social network that’s part Facebook, part Twitter — onto the Gmail accounts of the 176 million users of its free online email service. To instantly establish a community of Buzz users interacting with each other,  Google used an algorithm that selects up to 50 of your Gmail contacts and designates them as your Buzz followers; Google assumes these folks will be interested in any Buzz microblogs you might post. So it  makes this pre-designated list of your followers, as well as the list of people it has designated you to follow, available Internet-wide.

One woman complained that this configuration allowed her abusive ex-husband and his friends to begin following private comments she had been sharing with her boyfriend on Google Reader, a free Web content aggregation service also hooked into Buzz.

Initially, Buzz users had to navigate  several confusing steps to disable this “auto-follow” feature. Responding to complaints, Google last Thursday made it easier to turn off auto-follow. Then on Saturday, with complaints still rolling in, Google made it possible to selectively revise its pre-designated list of followers and reduced the number of steps it takes to turn off Buzz. It also decoupled Buzz from Google Reader and Google Picasa photo albums.

Bending consumer behavior

Still, users who move too quickly through Buzz’s set-up routine risk Internet-wide disclosure of people with whom they heretofore exchanged emails privately, says William McGeveran, a law professor at the University of Minnesota who specializes intellectual property and privacy.

This public outing of your email penpals could include your psychiatrist, your sports bookie or your secret lover. It might also reveal your prospective clients or your bill collectors. “The people you email the most may not be your friends,” says McGeveran. Even after two revisions Buzz “still puts the onus on the individual user to take several steps to get greater privacy,” he says.

CNET tech news blogger Chris Matyszczyk contends that Buzz is the latest example of imperfect technology desgined to bend consumer behavior to suit the business goals of tech giants.

“It is in the financial interests of Facebook and Google to have as much information made public as possible,” says Matyszcyk, a creative director who advises major coporations on marketing and content creation. “The gaucheness with which both Facebook and now Google Buzz have gone about such a noble, selfless pursuit of their future is quite staggering.”

Matyszczyk worries that this trend could lead to consumers “losing their humanity,” a notion examined in Jaron Lanier’s new book, You Are Not a Gadget: A Manifesto. Lanier is the computer scientist credited with coining the term “virtual reality.”

“Who could not at least suspect that someone at Google, as Buzz was being created, said, or at least thought, ‘Let’s see how much we can get away with here?’” says Matyszcyk. “It’s not as if they were unaware of Facebook’s constant privacy traumas, which culminated in that ridiculous spectacle of (Facebook CEO) Mark Zuckerberg saying privacy was no longer the social norm.”

Expanding the attack surface

On the security front, Buzz already has begun to expand opportunities for cybercriminals. Hackers who specialize in so-called Blackhat SEO attacks have started corrupting Web links that turn up high in search results for queries about Google Buzz, says Bradley Anstis, vice president of technical strategy at M86 Security.

Click on a corrupted search result and your PC instantly becomes part of a botnet, aligned with thousands of other infected PCs, he says. Botnets are used for spamming, hijacking online bank accounts, spreading pitches for scareware, stealing corporate data and cyber espionage.

“As we’ve seen already, the type of information that was made available, such as the contacts you communicate with most, is alarming,” says Anstis. “We’re pleased to see Google react to this concern, but that doesn’t change the fact that spammers and cyber criminals will follow any social networking service that gains traction.”

Indeed, spam pitching fake pharmaceutical drugs already has begun to move across Buzz postings, says Beth Jones, security researcher at Sophos. Sure to follow are data thieves who can be expected to thoroughly probe the Buzz-Gmail coupling for security weaknesses, she says.

Surfacing virgin accounts

Data thieves are being drawn to Buzz by the scent of tens of millions of valid email addresses being surfaced by Google’s algorithm for expontentially increasing Buzz useage. Such “virgin accounts” are hot commodities in the cyber underground. “The fundamental risk is that your (Gmail account) information can be readily used by cybercriminals,” says Jones.

With a valid email address in hand, cybercriminals can easily guess the accompanying password and begin tapping contact lists in the virgin accounts. Virgin email accounts tend to clear spam filters, making them ideal  to spread spam and infections.

“We see more and more cases where the user accounts are ’stolen’ because the password has been guessed by cybercriminals,” says Luis Corrons, Technical Director of PandaLabs.  ” Most of the users have a password that is really easy for anyone to guess once the criminal has access to certain data such as the birth date, name of pets, and so on.”

While  it would help if more  consumers were security-aware,  the underlying problem  is that social networks are not taking users’ privacy seriously, says  Corrons.  Consider that Buzz’s algorithmic spreading mechanism generated 9 million posts in 56 hours by  cross-correlating  — and publicly surfacing — tens of millions of virgin email accounts.

“The average user won’t change their settings mainly because they don’t even know about the privacy policy, don’t mind or don’t realize the implications,” he  says . “In my opinion, all the settings should be restrictive by default and leave it up to the user to open them up.”

Google responds

In response to Last Watchdog’s  examination of the  security implications of Buzz, Pavni Diwanji, Google’s engineering director, on 18Feb2010 emailed me this statement:

Use of popular search terms for blackhat SEO purposes is neither new nor specific to Google Buzz, or even Google for that matter. In all cases, we actively work to detect and remove sites that serve malware from our search index, using manual and automated processes. We caution users who might visit suspicious sites with warnings directly in our search results as well as in many modern web browsers.

Google works hard to fight spam, and in fact, Gmail’s anti-spam technology is one of the key reasons why people choose to use Gmail in the first place. We have similar goals for Google Buzz. As a Google Buzz user, you have a lot of control over what you see — you choose who you follow, and if someone is following you whom you consider spammy, you can always block them. If you see spam, you can report it to us, and in many cases that action will remove the spam immediately.

We’re employing a variety of techniques to help combat spam and abuse in Google Buzz, and we’ll continue to improve our methods.

By Byron Acohido

Wanted:

Perks: Employer has search monopoly — and warm leads at top spy organizations.

That’s one takeaway of reports that Google has asked the secretive National Security Agency to help track down the cyberattackers who recently breached its network. More on this below.

Reporter Ellen Nakashima’s front page story in the Washington Post yesterday, 04Feb2010, has rekindled simmering concerns about corporations collaborating in the shadows with the government’s top sleuth agency. Nakashima’s report used Deep Throat sources to flush out a substantive development in the finest tradition of Woodward and Bernstein.

You may recall how privacy and civil liberties activists raised a hew and cry in 2006 after an investigation, by USA TODAY’S ace telecom reporter Leslie Cauley, revealed how the NSA secretly analyzed phone records of tens of millions of Americans.

High potential for abuse

At the time, public backlash was directed mainly at telecom giants AT&T, Verizon and BellSouth for so readily giving up their customers’ private phone records to a government agency.

In a similar vein, Google, the world’s dominant search service, amasses data on the surfing habits of most Internet users, and stores vast amounts of sensitive data belonging to users of its popular Gmail and Google Apps online services, says Amrit Williams, CTO of security firm Big Fix.

Because the NSA is an “opaque intelligence organization . . .the potential for abuse of private information at the intelligence or government level is very high,” he says.

Google CEO Eric Schmidt did little to allay the fears of privacy and civil liberty advocates in this interview last December with CNBC financial reporter Maria Bartiromo. Schmidt says on camera:

The reality is that search engines, including Google, do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

It’s understandable the Google and other corporations might covet the NSA’s expertise at quelling cyber attacks; the agency possess unsurpassed intelligence gathering technologies and know how, says Jody Westby, CEO of consulting firm Global Cyber Risk and a distinguished fellow at the Carnegie Mellon CyLab think tank.

Mysterious agenda

Yet the cyber attackers who breached Google’s network and some 30 other tech, financial and media corporations in late December and early January used conventional messaging trickery and infection methods. So much so that security firm McAfee with in a couple of days of Google’s crying foul went public with extensive analysis of the distinctive  attacks, dubbed “Operation Aurora.”

So why tap the NSA when top-notch forensics is readily available from dozens of tech security firms?

“Company’s don’t usually run and ask the government to get involve in their business,” says Westby. “The attacks may be more sophisticated than we think. I think they (Google) is really trying to preserve their brand.”

Gunter Ollman, head of research at security firm Damballa, says there is a “a high probability” that Chinese nationals were involved. Whether anyone can prove the Chinese government was behind the attacks is another matter. Attacks that trace back to China are “state sponsored, endorsed or, at the very least, ignored by the Chinese government,” observes Ollman.

Given that long-held conventional wisdom, Jeff Chester, executive director of the Center for Digital Democracy, wonders what a search company that collects and distributes public and private data for commercial reasons might gain by turning to a U.S. spy agency for help.

Selling to spy agencies

He points out that Google is actively seeking an experienced sales rep at its Washington D.C. offices whose job will be to sell to the intelligence community. According to Google’s job description, whoever gets the job selling its wares to spy agencies must:

• Be responsible for the entire sales process from Prospecting to Close.
• Lead Generation/outbound calling and warm lead follow up.
• Understand Customer Needs and requirements.
• Present and articulate advanced product features and benefits of Google Enterprise solutions.
• Provide on-line demonstrations.
• Close Sales and achieve sales quotas. Be able to sell and differentiate in a competitive environment.

“Another real problem is that Google is working to curry favor with the NSA, CIA, DoD and others in order to sell its services and make greater profits,” says Chester.

Big Fix CTO Williams offers this takeaway:

The NSA is also one of the nations most secretive and opaque intelligence organizations and creating a balance between the information and enablement they can provide to private sector companies, such as Google, and the impact this may have on personal privacy is the major concern. The potential for abuse of private information at the intelligence or government level is very high. Some may argue that national security is more important than personal privacy and that if you have nothing to hide you have nothing to fear, but imagine the impact on one’s willingness to speak frankly about life threatening medical or legal issues if one felt that the privacy, that we as US citizens are guaranteed and hold so dear, will be compromised for the sake of security.

The United States has always struggled with finding a balance between national security and civil liberties, the question that we need to pose today is are we ready to compromise our liberty for the perception of short-term safety, especially knowing that this relationship sets a very dangerous precedent for the future involvement of Government within evolving commercial technologies of the tomorrow?

A Google spokesperson pointed out the company’s Jan. 12 public statement about cyberattacks and censorhips in China and declined further comment.

By Byron Acohido

Working with private security analyst Michael Felch, Ragan turns up evidence tying a few  of the servers used to deliver malware  in what’s being referred to as Operation Aurora to a couple of intriguing peripheral characters. The first is a controversial Chinese techie, named Peng Yong, and the second is New Hampshire-based hosting company, Dyn Inc. There the trail runs cold, for the moment.

Ragan’s bottom line: there’s more circumstantial evidence pointing to a conventional attack by profit-minded data thieves, than to a Chinese-government-backed operation, a notion LastWatchdog examined last week in this post.

Ragan raises a great point about why the global community of researchers, including the crack teams at Microsoft and McAfee, in this case, cannot seem to sustain an advanced level of cooperation that would be the surest way to mitigate cybercrime and cyber espionage.

It is odd that the detailed data available on the Malware and overall Aurora incident is scattered and made available, thanks mostly to the efforts of independent researchers. Considering all the security vendors quick to team up and fight Conficker, where is the Cabal for Aurora?

This whole incident would be a great source of information for organizations to learn about threats to intellectual property, incident response, risk management, and so on. Yet, the information blackout leaves business leaders in the dark, and the political war being waged in the press between China and the U.S. does nothing but spread confusion and offers little technical value.

Meanwhile, users of pirated copies of Windows take heed: you should stay current on all Microsoft security patches just like everybody else.

Microsoft has long had a policy of giving Windows pirates a free pass to download security patches. Yet many of the tens of millions of Windows pirates worldwide may not be aware of this policy, nor trust that Microsoft won’t try to somehow penalize them, says Charles Wisniewski, security analyst at Sophos.

“I preach that users should trust Redmond for their word on this one, and that infected pirated copies of Windows are not doing anyone any good, especially Microsoft,” says Wisniewski. “It hurts their reputation and, piracy or not, people should feel obligated to do their part for a safer Internet.”

This is especially true in the wake of the Google-China affair. Attackers used a freshly discovered security hole in Windows Internet Explorer to hack into Google and dozens of other tech, financial and media corporations. Microsoft has since issued an emergency patch. But if tens of millions PC owners who are using pirated copies of Windows never patch that will make it easier for attacks like Operation Aurora to proliferate, security experts say.

Microsoft spokesperson Jill Lovato supplied these written answers to Last Watchdog’s questions about Microsoft’s patch amnesty program.

LW: What percentage of Windows users worldwide are using pirated copies of Windows?

Microsoft: Our research shows that up to a third of customers worldwide may be running counterfeit copies of Windows.

LW: Can you confirm the estimate that 90% of Chinese PC owners use pirated copies of Windows?

Microsoft: We don’t provide numbers broken down by region; as our research indicates, the total number worldwide is up to one third, so piracy is clearly a serious global problem.

LW: When did Microsoft begin making security patches available to users of pirated copies of Windows?

Microsoft: We’ve always made security updates available to all customers. Making security updates more broadly available helps to prevent the spread of malware and to fight cyber crime.

LW: How do users of pirated copies of Windows go about getting security patches?

Microsoft: Customers with non-genuine copies of Windows receive updates through Windows Update or the Download Center, just like other customers.

LW: How many users of pirated copies of Windows stay current on their security patches? Is it less than 10%. Less than 5%?

Microsoft: We don’t have specific numbers to share on this topic.

LW: What assurance do Windows pirates have that Microsoft won’t try to somehow penalize them when they download security patches?

Microsoft: We like to work with customers who have non-genuine copies of Windows, and at the same time work to improve the overall health of the Internet by fighting malware. We will continue this path of constructive engagement with our customers.

By Byron Acohido

But while all the marbles seem to be rolling in the direction of castigating China, there is an equally plausible perpetrator: garden-variety, profit-motivated cyber thieves out to amass industrial secrets which they can sell to the highest bidder.

“It is certainly a possibility that someone is doing this and leaving bread crumbs that lead you down the wrong road,” says Wolfgang Kandek, CTO at Qualys.

Amrit Williams, CTO at  BigFix, hopes we don’t too quickly forget the rush to blame North Korea for some lightweight defacing of South Korean and U.S. government and commercial websites last summer.

Rep. Peter Hoekstra (R-Michigan), the lead Republican on the House Intelligence Committee, called for a “show of force or strength” against North Korea. Turns out the crude attack was more likely the work of a cyber gang experimenting with new forms of denial-of-service attacks, while deflecting the blame to North Korea.

“This is all easy stuff to do. There seems to be proof that the computer servers (used in attacking Google) were located in China and that the malware was Chinese in nature, but it is almost impossible to prove the attacks were state sponsored,” says Williams.

Chinese fingerprints

Indeed, Zscaler senior researcher Mike Geide recently isolated the latest Chinese fingerprints relating to the cyberattacks of some 30 big tech, financial and media companies; the attacks that pushed Google to threaten China.

Meanwhile, governments worldwide, including the U.S., are suddenly hyper-focused on assessing their vulnerabilities and discussing cyberwarfare policies and protocols.

And companies world wide this week are – or should be – scrambling to install Microsoft’s emergency security patch for Internet Explorer – a zero-day hole used in the attacks on Google and the other corporate behemoths.

In this backdrop, Zcaler’s Geide took a closer look at www.latax.gov.cn – a Chinese government site with information about paying taxes.

Clicking to the site activated a sequence the culminated with the attacker gaining full access to the visitor’s harddrive via a freshly-discovered security hole in Microsoft’s Internet Explorer browser. The sequence continued, opening a backdoor through which the intruder installed a program to turn on the PC’s webcam, begin stealing sensitive data and hide its tracks.

Some 30 companies have reported getting their corporate networks breached in a similar sequence, the common thread being use of the IE security hole, and embedding of the same program to turn on the webcam, install a keystroke logger, and lock in the malicious code with a root kit.

Index pages manipulated

Geide’s discovery adds more evidence that the attackers responsible for what McAfee is calling Operation Aurora are communicating and coding in the Chinese language. He found that the initiating infection resided on the website’s indexing page. Every website has an indexing page, which directs the visitor to the content he or she is trying to get to. In order to corrupt the page, the attackers had to have access privileges to the host computer serving up the webpage.

There are only a few ways to get this access. “In order to have the ability to modify the indexing page you need privileged access rights to the webserver,” says Geide. “You can have them already, somebody on the inside can give them to you or you can steal them.”

Assuming the Red Army didn’t do this or condone this, an outsider could fairly easily do this by planting a sniffer program somewhere on the government’s network and homing in on the needed credentials. Or they could have used a SQL injection attack to hack the Web server.

The coding that embedded the Web cam, keystroke logger and root kit derived from a common do-it-yourself crimeware kit, called Hupigon. The menu-driven controls for Hupigon are in Chinese, and the kit is marketed primarily on Chinese language criminal forums.

“The evidence suggests, at the end of the day, that Chinese individuals were behind putting this on the Chinese government’s website,” says Geide. “Whether they had the government’s cooperation or not, I cannot state.”

Geide says, as of Tuesday morning, 26Jan2010, these Chinese government websites reportedly carry the same attack sequence:

• .wscz.gov.cn
• .zhepb.gov.cn
• .jssalt.gov.cn
• .xfgh.gov.cn
• .laspzx.linan.gov.cn
• .zsjs.nmfc.gov.cn

In these cases, the prospective victims would presumably be Chinese-speaking citizens visiting the government websites, says Geide. But he adds that could include Chinese-speaking employees of Western companies doing business in China, who would have reason to visit the government sites.

“The prevalence of malware on GOV.CN webpages needs to be further investigated,” says Geide.

Patching implications

Meanwhile, Microsoft issued an emergency patch last week to close the security hole that enables this type of attack. The patch is being automatically distributed to millions of individual PC owners via Microsoft’s Windows auto update service. Home PC users should make sure they are current on Windows updates, since these infections can lurk on other webpages, as well.

The risk of getting infected by the Operation Aurora attackers will remain high for some time to come, security experts say. Most big companies in the West do not install security patches on workplace PC until completing extensive testing, which can take weeks, says Kandek.

Also, most individual Windows PC users in China – an estimated 90% – use pirated copies of Windows that do not qualify for security patches, says Matt Rosoff, tech industry analyst at research firm Directions on Microsoft.

“This is a defining moment bringing much needed attention to how inadequate our cyber defenses in the private and public sectors really are,” say BigFix’s Williams. “But if this escalates into government leaders suggesting a kinetic response, that’s very bad.”

UPDATE/CLARIFICATION: Apologies to Matt Rosoff, who has tracked Microsoft’s strategy to deal with China policy closely for years. For the record, Matt did not explicitly say in an interview with me that pirated copies of Windows do not qualify for Microsoft security patches. In fact, most users of pirated copies Windows can get security  updates.  Sophos analyst Chet Wisniewski points out that Microsoft actually has provided a free-pass for users of pirated copies of Windows to get security updates.

“This can be an important message to get out, as pirated Windows users in the US should not be afraid of patching as Microsoft  is not tracking security downloads,” says Wisniewski.

Whether many users of pirated copies of Windows are aware of — or trust — Microsoft’s nuanced effort to make security patches available to them is unknown.

“I preach whenever someone is listening that users should trust Redmond for their word on this one, and that infected pirated copies of Windows are not doing anyone any good, especially Microsoft. It hurts their reputation and piracy or not people should feel obligated to do their part for a safer Internet.”

By Byron Acohido

25Jan2010

By Byron Acohido, Calum MacLeod and Kathy Chu

Original online posting here.

BEIJING — Zhang Nanting enjoys text messaging acquaintances while he’s at the Golden Fortune Internet café here. Lately, the 28-year-old insurance salesman has been meticulous about keeping his texts squeaky clean.

“I rarely send rude, short messages,” says Zhang, citing the government’s recent crackdown on pornographic texting. “I think it’s excessive management, as I don’t know how they judge what is dirty or not.”

Zhang, like most Chinese citizens and most multinational companies doing business in China, grudgingly accepts government surveillance and censorship as a way of life. But things may be changing.

Google’s (GOOG) recent threat to pull out of China has brought into sharp relief China’s longstanding clampdown on personal freedoms and foreign companies’ access to its vast consumer market. It has continued these practices even as it revs up the capitalist-style advance of the world’s fastest-growing economy.

In China, domestic “stability” is paramount. That means zero tolerance for political dissent at a time when Chinese consumers are being encouraged to embrace technologies that let them communicate and socialize much like their Western counterparts. Similarly, China has invited major tech players, such as Google, Microsoft and Yahoo, to help nurture its economic growth. Yet it imposes censorship and other restrictions and has paid little heed to intellectual-property rights.

Analysts say this is all part of China’s drive to develop — and become the dominant supplier to — the world’s most populous consumer-driven economy, with information technology as a major component. “The government in China is determined to exercise some control over mass media and the Internet,” says Harvard law professor Jonathan Zittrain. “The aim is to keep the average Internet user pointed away from controversial content and towards approved content.”

Until Google dug its heels in, China Inc. seemed to have all the cards stacked in its favor. On Jan. 11, the search giant issued a statement complaining about invasive cyberattacks and demanding that China back off on censorship of Google’s search results. “This is the first time a big company like Google has stood up and said, ‘I have had enough of this,’ ” says Hu Yong, a Beijing-based new-media expert.

China hasn’t budged — and no one expects it to. Doing business in China has never been easy. Foreign-owned companies face a thicket of censorship, trade restrictions and tariffs, says Oded Shenkar, a business management professor at Ohio State University and author of The Chinese Century.

What’s more — not unlike many other nations engaged in multinational commerce — China uses the Internet for industrial spying, says Jody Westby, CEO of consulting firm Global Cyber Risk.

China “lies in a class by itself” in the “scope and scale of its cyberespionage operations,” says Usha Haley, analyst at the Economic Policy Institute and co-author of The Chinese Tao of Business.

Multinational tech companies, in particular, bemoan China’s insistence on controlling encryption protocols that companies use to protect sensitive data. It withholds certifications until companies conform, gaining control of the decryption codes for everyone doing business within its borders, says Shenkar.

The sum of this approach: China’s economy is roaring. Its Bureau of Statistics reported gross domestic product, the key measure of a nation’s growth, rose 10.7% in the fourth quarter and 8.7% overall in 2009. Its banking sector issued $1.2 trillion in new loans last year. By the end of October, China held $798.9 billion in U.S. Treasury notes, making the U.S. its biggest borrower.

Yet the growth comes as reforms that arose from the government’s 30-year “opening up” campaign are stalling out, says Joerg Wuttke, president of the European Union Chamber of Commerce in China. A September 2009 chamber report recounts a three-year rise in “industrial-policy interventions.” It found protectionism woven into standardization policies on products from cellphones to medical equipment, subjective enforcement of environmental rules favoring Chinese firms, and intellectual-property theft becoming a major concern.

In this backdrop, Google’s push-back could coalesce a broader shift in sentiment already underway. Many companies sense that access to Chinese markets is actually shrinking, Wuttke says. “The investment atmosphere has shifted,” he says. “It’s an indication that foreign companies are struggling.”

That’s because “China doesn’t believe in survival of the fittest. It believes in ’survival of whomever we say survives,’ ” says Anthony Migyanka, an economist and managing partner at Texas-based Mobile Money Minute.

Energizing activists

But China may be reaching the limits to that approach. On Thursday, Secretary of State Hillary Rodham Clinton proposed policies to quell censorship and ingrain freedom of expression on the Internet as a global standard. Clinton called on China to be transparent about responding to Google. She also threw down a gauntlet for U.S. corporations. “Censorship should not be in any way accepted by any company from anywhere,” said Clinton. “This needs to be part of our national brand.”

The Beijing-based Xinhua News Agency on Friday issued an official response. Chinese Foreign Ministry spokesman Ma Zhaoxu called on the United States to “respect facts and stop unreasonable accusations on China in the name of so-called Internet freedom.”

Clinton’s speech energized privacy and human rights activists, who’ve been tilting with Internet censors and hackers in China, Vietnam, Iran, North Korea and Tunisia. Clinton pledged $15 million to support “Internet freedom” projects, including helping non-profit organizations plot “circumvention strategies.”

“New technology demands new thinking about how companies and governments can each work to protect freedom,” says Elisa Massimino, CEO of Human Rights First.

China’s leaders aren’t completely immune to criticism. But for China, nothing counts more than domestic stability, which government leaders achieve by squelching dissent. Go along and you’re left alone to consume like a Westerner; resist and pay the consequences.

For the past six months, China has sent a vast region, larger than Alaska, back to the pre-Internet age. Last week, residents of Xinjiang, the nation’s Muslim northwest, were permitted to send text messages again. But international telephone calls are limited, and Internet use remains greatly proscribed, after ethnic riots in July.

Such actions remind Chinese citizens who is in control. Underground, in the dimly lit Golden Fortune Internet cafe and pool bar in Beijing’s Chongwen District, Zhang must register his ID card before logging on to one of 80 computers. Then he faces the “Great Firewall of China,” an array of official censorship tools designed to curb his surfing.

“Of course I wish I could read whatever I want,” he says, but he rarely bothers “climbing the wall” to bypass the censor’s blocks. “It’s too complicated.”

Playing along

Historically, tech giants Microsoft, Yahoo and even Google have played along to get along in China. To gain approval to launch google.cn and open a high-rise office in Beijing in 2006, the search giant accepted censorship of search queries and results, such as references to the Tiananmen Square massacre. In a speech to Houston oil executives on Thursday, Microsoft CEO Steve Ballmer said that Microsoft intends to obey China’s specific censorship requests just as it follows laws in every country.

Yahoo has done that, too. The portal company infamously forked over data to Chinese officials that in 2004 helped convict journalist Shi Tao for leaking a propaganda directive. Shi was sent to prison for 10 years.

The kowtowing hasn’t exactly paid huge dividends. Yahoo sold its China business, also in 2004, to Chinese company Alibaba, giving up day-to-day management of its China operations. Yahoo retained a 39% stake in Alibaba.

Microsoft in 2002 began investing $750 million to help seed an indigenous Chinese tech sector, including opening a major research-and-development center in Shanghai. But the software giant has no illusions about dominating the Chinese PC software market, says Matt Rosoff, tech industry analyst at Directions on Microsoft. Windows PCs already are widely used in China, but 90% run pirated copies of Windows, says Rosoff.

Microsoft figures investing in the maturation of the Chinese tech industry will help drive down the piracy rate. Over time, Microsoft hopes, millions of Chinese will begin paying for their copy of Windows, Rosoff says.

For its part, Google has quickly become a mainstay with young professionals. It has a 20% share of the Chinese search market compared with search leader Baidu’s 70%, according to China IntelliConsulting.

Chinese tech firms, such as Baidu, “are extremely scrappy,” says Kaiser Kuo, a Beijing-based tech consultant. “They’ve managed to get the notoriously frugal Chinese consumer to part with money.”

Whether Google leaves China or stays remains to be seen. “The environment in which we are operating in terms of an open Internet is not improving in China,” says David Drummond, Google’s chief legal officer. “We’re no longer comfortable censoring our search results in China, and we are reviewing the feasibility of our operations there.”

Noting Google’s respect for the Chinese people, Drummond said it will keep a Chinese-language option on its global service if it shuts down google.cn.

Meanwhile, James McGregor, a Beijing-based consultant at APCO Worldwide, says complaints about mounting restrictions — he describes it as a lot of “little things at every level … by every ministry” — are reaching a crescendo. He says there is a high level of “clandestine support” for Google in the multinational business community. Google’s protest “has the possibility of stirring up a lot of people here who depend on Google and don’t want to lose it,” says McGregor.

Much could be riding on the resolution. Will Western values factor in or will China’s tactics prevail? “The 21st century is about whether and where a converging balance will be found. Google is just the beginning,” says international lawyer Jeanne-Marie Gescher.

MacLeod reported from Beijing, Chu from Hong Kong and Acohido from Seattle. Contributing: Jon Swartz in San Francisco

by Phil Neray

VP of Security Strategy, Guardium, an IBM Company

We’ve recently seen a series of SQL injection cyber-attacks conducted by “gray-hats” — including the recent  attack on a U.S. Army Website that revealed passwords stored in clear text.

Unlike black hats that are motivated financially or politically — like the hackers that allegedly penetrated Google to spy on Chinese dissidents — grey hats are essentially cyber-vandals who are mainly interested in outing weak security practices (and perhaps getting a little fame).

White hats, in comparison, work privately with Website owners and software vendors to correct flaws –without making them public.

As one of the better-known “serial grey-hats” (Unu) wrote on his blog, “I am not a thief. I’m just a guy who likes to do security testing, penetration. It’s like any other hobby.”

It has become very easy to break into sites using SQL injection. Hackers can easily download automated tools to locate sites running vulnerable applications — you can even use Google. According to IBM’s X-Force research team, SQL injection attacks increased a “staggering” 134% in 2008 and doubled from Q1 to Q2 of 2009.

So many of these vulnerable sites exists because all too many Web applications — created by a generation of inexperienced programmers — don’t adhere to good coding practices, leaving back-end databases wide open to manipulation. For instance, older versions of Microsoft SQL Server contain vulnerable procedures that are installed by default.

It’s believed that the Heartland attackers used this vulnerability to move from their initial SQL injection attack — against a low-value, Web-facing corporate server — to high-value servers processing hundreds of millions of sensitive credit card transactions.

Heartland isn’t alone. The vast majority of organizations don’t monitor activity on their database servers, leaving them vulnerable because they don’t even know when they’ve been hacked. In fact, according to the 2009 Data Breach Report by Verizon Business, 69% of breaches are discovered by a third-party external to the breached organization.

What can organizations do to stay protected? Here are some suggestions:

• Educate Web developers about secure development practices.
• Employ automated Web application scanners to locate code vulnerabilities.
• Never store passwords in clear text.
• Remove vulnerable procedures you don’t need.
• Deploy automated vulnerability assessment tools to check for vulnerable databases.
• Monitor all database activity in real-time for suspicious patterns.