Microsoft Finds >427k Compromised Email Addresses

Microsoft spelled out the results of its ongoing investigation into the Rustock botnet server hardware obtained by law enforcement in a status report submitted Monday to a federal judge.  Operation b107 was the codename for the takedown of the huge Rustock botnet, responsible for sending as many as 30 billion spam messages a day.  The takedown was backed by international warrants to seize command-and-control (C&C) servers.

Custom-written software for assembly of spam emails and text files containing thousands of email addresses and username/password combinations for spam-dissemination were found. One text file alone contained over 427,000 email addresses.

Along with the email addresses, forensics experts also uncovered evidence that the criminals used stolen credit cards to purchase hosting and email services.  Payments for the hosting of some of Rustock’s C&C servers were traced to a specific Webmoney account, and after asking the Russian online payment service for help, the owner of that account was identified in a city 14 miles northwest of Moscow.  The status report cautioned that this person might not be the actual purchaser of the C&C hosting services, and is continuing to investigate.

18 of the 20 drives obtained had been used as “Tor nodes” to provide the attackers with anonymous access to the Internet, and to the hijacked Windows PCs that made up the Rustock botnet.  Tor relies on routing and encrypting traffic through a network of machines maintained by volunteers in numerous countries to hide the actual connections.  Tor is used by activists in nations where governments monitor or restrict web communication, and by hackers to thwart identification efforts.

If you believe your computer may be infected by Rustock or other type of malware, Microsoft encourages you to visit support.microsoft.com/botnets for free information and resources to clean your computer.

How Do Compromises Happen?

Have you ever received a letter or an e-mail informing you that your personal information may have gotten into the wrong hands?   Or perhaps a media report alerted you to a security breach at a company you do business with.  Here are just a few ways that security breaches have occurred:

• School computer files containing personal information, including Social Insurance Numbers, are hacked.
• An email, inadvertently sent out to a third-party service provider containing too much information.
• A bank’s computer back-up tape with customer account data has been lost while being shipped to a storage facility.
• A dishonest healthcare employee has sold computer files containing patients’ records, including SIN and DoB.
• An overworked IT Analyst takes shortcuts around Change and Configuration Management processes in the server room in order to save time and money.
• End users click on links or open attachments that appear to come from someone known and trusted.
• Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SIN and DoB.
• A company laptop is stolen from the back seat of an employee’s car. It contains account data on thousands of customers.
• Offering good customer service to a caller who is having trouble with their account.
• Advertsing space is sold to a malicious software distributor.  The malware laced ads are carried by legitimate and popular websites.

There are certainly more potential security breaches out there than are those listed there.  Compromise can occur in so many ways.  A compromise can even occur just by surfing the web to a reputable and legitimate website that serves up ads.  The list goes on.  It can happen to anyone, and it is happening all the time.  Even I (security aware as I am) am guilty of at least one of these examples myself.

Your information can be inadvertently compromised without your involvement or knowledge.  Chief of Security at Symantec’s Australian offices, Craig Scroggie learned this lesson recently.  His credit card data was leaked via email when a restaurant attempted to send out its summer menu to its registered clients.  Instead of attaching the menu, it sent out the entire client database, unencrypted.  Scroggie found out about the breach after a follow-up email was sent informing him of the incident.  He had deleted the original email because he did not want to read the menu.  After being informed, he recovered it to see what details were exposed.

If the business that leaks your information is not regulated and mandated to advise you of when that takes place, do you think that they will risk the embarrassment, liability and potential costs of telling you about it?  Most are unfortunately going to keep mum, and ignore the issue, unless it is somehow traced back to them.  Oh, and it eventually will be, so you company owners who put off the added expense of good security, or hide a breach when it happens, be ready.  It’s really just a matter of time before your business gets a visit from the cops.

If enough people are compromised, you just have to look for common transactions.  If 100 people have records showing that transactions took place at one store or restaurant on all of their credit cards, and then shortly after all of the cards were used illegally, there is an interesting clue to follow-up on.  You are better off preparing a breach notification policy now, just in case you need it later on.  That way, the decision about what to do, and who to call has already been made.  No one needs to make a bad descision to save their job or to deflect reputational damage to the company.  Better to be upfront and honest than to be considered incompetent or complicit.

Here are some useful resources:

• Recommended Practices on Notification of Security Breach Involving Personal Information www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf
• Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace www.privacyrights.org/ar/PreventITWorkplace.htm
• Better Business Bureau’s Security & Privacy Made Simpler www.bbb.org/securityandprivacy.

Microsoft Security Intelligence Report (vol 10)

Microsoft has released volume 10 of their Security Intelligence Report, covering 2010.

The SIR is the results of an  investigation of the threat landscape, analyzing exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and Microsoft  Security Centers.  In SIRv10, Microsoft presents a short video that  calls attention to the second most commonly detected fake anti-virus software:  Win32/FakePAV.   The video describes how Win32/FakePAV steals credit card  information, and then shows how to remove the trojan.

In addition to the Win32/FakePAV feature, they continue to highlight the ongoing threat of botnets in “Battling Botnets,” which was  released in 2010.

Key Findings:

• Application versus operating system or web browser vulnerabilities continued to account for the majority of vulnerabilities in 2010.
• The total number of application vulnerabilities declined 22.2% from 2009.
• Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
• Exploitation thru Java is rising since Q2 2010.  Exploitation on the Java platform far exceeds Adobe software and OS platforms.
• Malicious IFrames account for a large number of attacks over HTTP, likely indicating the effect of hijacked and compromised websites.
• Conficker is the most active malware family in the Enterprise environment and only 9th in the general Internet environment.
• JS/Pornpop is the most active malware family on the non-corporate Internet environment.
• Phishing sites targeting social networks are increasing and they are effective in getting themselves presented to victims.
• Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower.

Download and read this interesting report.

Sony Breach Follow-up

So, Sony has had a breach.  Security researchers say this may be the largest theft of identity data on record.  Some of my friends have expressed concerns because they and their kids have accounts on Sony’s PlayStation website.  From what I have heard, 1 million Canadians may be impacted by this attack.

What can they expect?

.

.

.

What is known:

• There is no law in place that forces the company to tell customers about the breach.
• The hack took place April 17 -19, and notification was delayed.
• Passwords, logon information, email addresses and personal details were exposed.
• Credit card details MAY have been compromised.

Suspected Impacts:

• The criminals had time to make use of or sell credit card information.
• Passwords are notorious for being used on multiple websites.
• Login details are also commonly re-used.
• Email addresses being exposed will very likely be used in spear phishing campaigns.
• Personal information may be used to fine tune spear phishing attacks and identity theft.

I think that the risk posed by credit card fraud is pretty self-explanatory.  If the information MAY have been exposed, it probably was.

Spear phishing is an attack used to bait a user into clicking a link or opening an attachment in email, just like in a typical phishing attack that comes in the form of spam emails.  What sets it apart is that the attacker has some knowledge of, or information about, the target of the attack.  The attacker learns the targets’ likes, dislikes, interests and “hot items” that might cause them to trust, be curious, or react to their message.  They may use the Sony breach for instance, and send fake emails purporting to be from Sony, a news organization, an investigator, a lawyer associated with Sony, a subsidiary, or whatever creative device they can concoct.  Their message will entice the target to take some action that allows them to further defraud or abuse them, like install malware, gather more information about them, get passwords, or financial intelligence.  The ultimate target is generally financial gain.

What should you do?

• Personally, if I had a credit card that I had registered with the Sony network, I would be cancelling that card.  Now.  I can hear the litany of “over reacting”, “tin-foil hatter” and “nonsense”, but that is what I recommend, take it or leave it.  Let me adjust my cap.  Your credit history, time, and money are better spent ordering a new card than dealing with the fallout of financial loss, explaining and fixing the situation for days, weeks, or even years to come.  Don’t be lazy, do it now.  At least call your bank and ask THEM what action they recommend.
• Mind your bank account.  As Police Detective Superintendent Col Dyson said in a phone interview with reporter Asher Moses, “If you’re armed with enough personal information you could basically do  anything that the legitimate person could do themselves” including obtain various forms of credit, target their banking accounts, or steal their identity.
• If you have an account on Sony’s network, change the password ASAP, and while you are waiting for Sony to come back online, change any accounts elsewhere that share the same login and/or password information.  And shame on you.  Don’t do it again!  I know, I know, I have a zillion passwords too.  Guess what?  There’s an app for that!  Invest in a password organizer that allows you to store and ENCRYPT all of your passwords.  then you only need to remember one. Many good ones are free, and can reside on your mobile device of choice.
• Be especially wary of emails bearing links or attachments.  If you are deathly curious, open the attachment or link ONLY in a sacrificial environment.  To me, that means you setup a separate PC just for the occasion.  That old clunker you rest your feet on under your desk will do.  Setup a locked down O/S on it.  Add VMware.  Lock down the VM.  Copy the link/attachment to USB and examine it in the VM.  Afterwards, nuke the whole setup.  Do not trust it again.  Wipe the disk and start fresh again next time.  If you were clever, you would have installed Comodo Time Machine or something similar to save time in this regard.  If that’s all too much for you, -=[DELETE]=- works just nicely, thank you…
• Pressure Sony to provide credit and ID monitoring services.  If your personal information was compromised because of their network breach, you have a right to expect certain remedies, and in my opinion, this is one such remedy that you should demand.

Just my 2¢, collect the whole dime.

Hartford Financial Malware Incident

The Connecticut-based, Fortune 100 company, Hartford Financial Services Group, one of the largest investment and insurance companies in the US, has reported a password-stealing Trojan found on a number of the company’s internal servers.

A letter sent to the affected employees says, “Hartford has detected a virus that infected our Windows server environment, which may have resulted in the capture of your personal information.  At this time, we do not know what, if any, personal information the virus may have captured from your session. We do know that the virus has the potential to capture confidential data such as bank account numbers, social security numbers, user accounts/logins, passwords, and credit card numbers.”

The the W32-Qakbot Trojan malware event was detected first on February 28th, and an investigation traced it back to a February 22nd start time.  A number of servers were compromised, including the Citrix servers used by employees to access company systems remotely.  The malware event evolved into an incident once it was determined that around 300 individuals had been affected.  Hartford notified the New Hampshire Attorney General and those who had been impacted about the breach at the beginning of March.  According to ComputerWorld, the victims were mostly Hartford employees and contractors, and under 10 customers.  All were notified that their Hartford passwords had been reset, and were urged to reset passwords for all sites visited while using the company systems during the time of the incident.

How the malware was able to gain access the servers remains undisclosed, however Insurance companies have been targeted by spam and phishing campaigns for many years.  Qakbot itself has been in the wild for about two years, and once installed on a computer, spreads within the network, taking steps to cover its tracks, capturing sensitive data, and opening back doors for hackers to directly access the compromised network.  The company has been working with Symantec to clean up, patch and harden all of its systems, and has offered all affected employees and customers a free two-year subscription to a credit monitoring program.

Law Firms Increasingly At Risk Of APT

Dark Reading is reporting that law firms are being attacked by stealthy, under the radar, targeted attacks looking to gather and exfiltrate intelligence on their corporate clients at an increasing rate.   Forensics investigators at Mandiant are seeing twice as many targeted attacks involving advanced persistent threats (APT) against law firms than ever.  It is highly likely that many more law firms and other companies are being attacked by this scourge and don’t even realize it.

Law firms appear to provide a means to an end; the actual target is a client that they represent.  Firms that handle mergers and acquisitions or civil litigation are getting hit hard, particularly those with deals involving Chinese companies.  Attackers find law firms an attractive and relatively soft target compared to the actual targets, for gathering the intelligence they are after because they generally have a lower security posture than the actual target, and are constantly being solicited for new business, often via email.  When email messages come in seeking to hire the law firm, they will often pursue it to see if it results in a new client.  New clients are where law firms make their real money.

The e-discovery process law firms execute can leave sensitive client information relatively unprotected.  Firms sometimes use USB drives to gather information and take it back to the law firm, where it is potentially handled and the data stored in an insecure manner.  There are common guidelines available, however the legal industry doesn’t have specific data handling security regulations.

According to the article, when Google announced that it had been targeted by hackers operating out of China in January 2010, the law firm King & Spalding, which specializes in corporate espionage, was identified publicly as a victim of the same attack campaign.  Shortly after, Gipson Hoffman & Pancione said it was hit with a targeted attack using spoofed emails from firm employees that contained Trojanized attachments.

I hope my friends and colleagues at Canadian law firms and the Bar Association are paying attention to this very real threat, and are taking the necessary precautions to harden systems, educate their users, and monitor their network traffic.

Prepare For APT Attacks

APT (advanced persistent threat) attacks have been in the press since 2006, but are only now gaining real media attention due to recent high-profile attacks, and IT teams must prepare to deal with these threats before they become commonplace.  Some security practitioners consider APT an “overblown marketing term” and others will argue that it only affects the military or government agencies.  In the military, the term APT has been used to describe a process of maintaining intelligence operations and conducting information warfare against an enemy.  In information security terms, hundreds of companies around the world have been completely and utterly compromised by information security APTs, which allow hackers to mine and exfiltrate sensitive corporate data under the security radar, over an extended period of time.

In information security, these are targeted attacks launched using malware vectors, and as their name implies, they are employing zero-day unreported vulnerabilities, advanced coding practices, and automated behaviors to increase the effectiveness of their penetration capability, covert operation, and continued existence. They are persistent at attacking their target, and remaining in operation, often for years.  Once inside the organization, APTs are not easily detected, contained and removed.  Victimized companies will often continue on with their daily business unaware of the problem, and when they are eventually detected, they are often misdiagnosed as other less impressive malware and given an incorrect or incomplete treatment.  If the malware agent is unable to communicate with its Command & Control (C&C) center, it will often attempt to reach another one, or use another communication channel or method to quietly squawk away your secrets.

Not every malware infection indicates an APT attack.  Consultants are tempted to identify every bot-agent or Trojan found as an APT and dream up long-term, radical incident handling and remediation engagements from unseen and unknown attackers.  I’ve had to disagree more than once with consultants and responders on whether APT was part of an active security event.  The first step in handling an APT attack is understanding what separates it from a targeted hacker or a classic malware agent.  Once it is properly defined and understood, detecting and eliminating these kinds of attack tools can become easier.

APT attacks started to be reported by the mainstream press in January 2010 with Google’s announcement of a major APT incident, and continue with the more recent RSA compromise involving  theft of information concerning SecurID technology.  That particular breach has been followed by serious reaction and concerns from users of the technology.  The impact and aftermath of that incident are still unfolding.  The hacking group Anonymous’ HBGary email leaks show that Dupont, Disney, Johnson & Johnson, Sony, and GE have been affected, along with several law firms and insurance companies.   Global financial companies and banks have also been impacted by the APT threat.  McAfee recently revealed that the world’s biggest oil and energy companies have also become victims.

Finding, containing and eliminating an APT attack requires careful advance planning and stealthy implementation to avoid alerting the attackers to your defensive maneuvers. The Canadian government had to isolate its largest financial departments, blocking access to and from the Internet in order to contain an APT threat and repair the damage that it caused.  In every single case that I am aware of, the targeted organizations had actually been under attack for months or even years, undetected.

The attackers are selecting their targets very carefully.  Where other malware vectors tend to be arbitrary, finding targets of opportunity, APT attacks are aimed precisely at targets of choice.  The attackers spend a fair amount of time researching and learning about the organization that they are about to attack, its personnel, its market, its interests, its hierarchy, its policies and culture.  They will custom build the installation routines and the malware agent to virtually eliminate the potential for anti-virus and other detections.  There will be no signatures for the malware, and they will rarely use that particular agent anywhere else simultaneously.  The attack itself will be well planned, often using social engineering tricks to get the program inside the perimeter.  Users will be targeted specifically, sometimes using their personal home email and less protected home networks to get onto laptops, USB sticks and other media that can make their way into the workplace.  Insiders may be used, and not just the ones that you screen and hire.  You may be the target, but an upstream business partner, downstream service provider, or consultancy may do the hiring.  Your network may even just serve initially as a conduit for the real target; a business partner, a consultant that works for both you and the ultimate target, or a shared service provider.  Consider yourself a current target if you hold sensitive information beneficial to foreign governments, or have relationships with those who do.

Key target characteristics include:

Continue reading →

Beware Earthquake & Tsunami Scams

First, my heart-felt best wishes go out to those directly affected and those who have families and friends in Japan.  Events there have been devastating to say the least, and I hope that no more people are injured as a result of this catastrophe.

There will undoubtedly be many spam and malicious emails floated about the Internet, posing as relief efforts, charities and even news footage of the events unfolding and aftermath.  These scams will be used to deliver malware to your computer, fleece you of your money, and take advantage of human suffering and good will.  Don’t fall for these malicious campaigns. 

• Donate only to charities that you known and trust.
• Go to their known websites on your own, do not follow links in dubious emails.
• Do not give out your personal or credit card information to inbound phone callers.
• Use the Charities Listings provided by Canada Revenue Agency or the US IRS.

French Government Spear-Phished

At least 150 French government computers were breached after hackers used “spear-phishing” techniques to plant malware that monitored the machines for weeks before being discovered, according to media reports.

The attack commenced late last year, allowing the hackers to monitor official mailboxes and servers of the Ministry of Economy, Finances and Industry.  Some of the information accessed during the attacks included documents relating to the G20 economic group, being hosted and chaired this year by France.  They join a long list of sensitive bodies that have been fallen prey over the past few years to attackers who were able to monitor private communications for weeks or months at a time.  Google and more than three dozen other companies were hit by attacks that bore many of the same characteristics.  Additional companies recently outed as victims of the so-called Operation Aurora attacks include Morgan Stanley, Sony, General Electric, Walt Disney, Dupont, and Johnson & Johnson, according to Bloomberg News.  A similar breach was recently reported against the Finance Department and Treasury Board of Canada, who hosted the G20 last year.

Sources say that some of the files were redirected to Chinese sites, but concede that this fact doesn’t really say much. Chinese hackers and the Chinese government have lately been tied to a number of cyber attacks targeting government systems around the world but, as always, there is no incontestable proof of their guilt.  Rerouting attacks is a common ploy to cover an attackers’ tracks.

Emails containing malicious attachments and links were targeted at specific employees at all levels within the French ministry, spoofed to look like they came  from colleagues or associates.  The emails contained malicious attachments that once opened, installed backdoor programs onto the machines.  It is not clear whether the program then spread from PC to PC, or if the spear-phishing campaign sought out email addresses of those initially impacted, but at least 150 of the ministry’s 170,000 computers became infected.  Once the perimeter had been penetrated, the attackers transferred G20 documents to servers located in China.

• Be careful of the emails that you receive, even if they come from people that you know.  If you are not expecting a specific email with an attachment, treat it with suspicion.  That means, call the person that sent it to you and confirm that they sent it.  It is easy to spoof an email.  It is also posible to take over an email account, so don’t rely on email for double-checking. 
• Open attachments selectively.  If you do open an attachment, saving it to disk first will often trigger a malware scan from anti-virus software.  It can’t detect everything, but it will find most malicious software.  Use a non-standard viewer rather than the native program.  There are viewers for every common file format.  I use several different ones for viewing PDF files, which have become very popular with malware authors lately for carrying and delivering their payloads.
• Be especially suspicious of – Parcel Delivery emails, Invoice emails, Your Account emails, emails with a threatening tone, IRS and tax service emails, and unsolicitied contest winner emails.  I hope by now everyone is awre of the Gotta Get Money Out Quick “419 scams”.  No rich ex-king or their heir is going to pick your name out of the phonebook to cut you in on a million dollar deal.

Malware Tracking Spam

Oh you rascals.  Hahaha.  It seems that there is a parcel enroute to my address.  No idea who it’s coming from, or even why.  It’s not even my birthday. 

Good folks at DHL are on the ball, and sending it to me.  I am so excited!  I wasn’t expecting a parcel.  But they assure me it is coming.  And SOON!  Seven days!  I can hardly contain myself.  I’m just dying to find out what’s inside.  It could be treasure!  Or a pair of mismatched and poorly fitting mittens from Aunt Ann.  She’s a sweetheart, but her eyesight’s going.  You ought to see those knitting needles fly, though…

Oh, look the email that DHL sent me to advise that the mystery parcel is on its way has a handy attachment that contains “more information and the tracking number”.  Well, I’ll be.  That is so handy!  Now why do you think they wouldn’t just put the tracking number into the email itself?  Probably some pointy-haired manager made a policy decision before going for lunch.  You know the type.  “Security-minded”. 

The attachment is a ZIP file, so it must be safe.  I’ve received ZIP files from all over the place.  That guy my sister married, what-his-face, the one in IT, he sends them over to me all the time.  I should probably double click that file so I can see what’s inside of it.  Maybe it has clues as to the contents and sender…  It says DHL_Document.zip, so I’m pretty sure that must be what it is.

DHL is a big company.  They are SO big in fact that they don’t just use names on their email addresses.  Why, looking at this email, coming from support61m@dhl.com, they have to number their employees just to keep track of them!  Imagine how many there must be if this came from number 61 in the support department.

DHL works so hard to get my parcels to me.  FAST.  They really should slow down though.  Their sentence structure and grammar is terrible.  I should reply to these nice folks, let them know I got their email, and thank them for being so considerate.  Oh, look, there’s another one.  And one from Purolator.  Wow, and another one.  I can’t wait to get all of these packages!  Someone loves me.  They really, really love me!!

Dear customer.

The parcel was send your home address.

And it will arrice within 7 bussness day.

More information and the tracking number

are attached in document below.

Thank you.

2011 DHL International GmbH. All rights reserverd.