Will Auzzie Internet Security Program Alert US Consumers of Account Hacking?

November 2, 2010

Escalating attacks by hackers and other criminals on consumer, government, and business computers has increased the need to find viable defenses. Now, officials in the Obama administration have met with industry leaders and experts to look for new ways to increase online safety while balancing securing the Internet with guarding people’s privacy and civil liberties.

One option the government and industry experts are reportedly reviewing is an Australian technology that enables consumers to get warnings from their ISP (Internet Service Provider) if their computer is taken over and used in a botnet or other crime by hackers. (Learn more about botnets, see my blog What are Bots, Zombies, and Botnets?)

White House cybersecurity coordinator Howard Schmidt told The Associated Press that the United States is looking at a number of voluntary ways to help the public and small businesses better protect themselves online. Note the inclusion of the word voluntary –  any move toward Internet regulation or monitoring by either the government or the industry could set off fierce consumer protests.

If a company is willing to give its customers better online security, the American public will go  along with that, Schmidt said. “Without security you have no privacy. And many of us that care deeply about our privacy look to make sure our systems are secure,” Schmidt said in an interview, adding that ISP’s, he added, can help “make sure our systems are cleaned up if they’re infected and keep them clean.”

Given U.S. consumer’s fears over monitoring, the government has thus far avoided a potentially controversial aspect of the Australian plan that would allow ISP’s to block or restrict online access of users who fail to clean up their infected computers.

Some efforts to alert and help consumers have begun

At the same time, Comcast Corp. has begun rolling out a program to alert users when the service identifies their computer as being a part of a botnet. The program does not require customers to fix their computers or limit the online usage of people who refuse to do the repairs.

“We don’t want to panic customers. We want to make sure they are comfortable. Beyond that, I hope that we pave the way for others to take these steps” said Cathy Avgiris, senior vice president at Comcast.

Facebook has also taken steps in increasing site security by identifying users with the Koobface virus, and they have partnered with McAfee to help infected users clean the virus off their machines.

Will we see mandatory measures?

Dale Meyerrose, vice president and general manager of Cyber Integrated Solutions at Harris Corporation says voluntary programs will not be enough. “There are people starting to make the point that we’ve gone about as far as we can with voluntary kinds of things, we need to have things that have more teeth in them, like standards,” said Meyerrose. For example, coffee shops or airports might limit their wireless services to laptops equipped with certain protective technology, or ISP’s might qualify for specific tax benefits if they put programs in place.

Australian ISP’s will, as of December, be able to take a range of actions when they have identified an infected computer. These range from issuing warnings, to restricting outbound email, or even temporarily quarantine compromised machines while providing customers with links to help fix the problem.

First, do no harm

Mandating consumer’s computers be safe to use the internet sounds good on the surface – its like requiring all students get inoculated so they don’t infect your child. But there are many layers to consider – what happens if a user’s phone service is part of the internet package – would they be blocked from making emergency calls? What if the computer is core to a business – should an ISP be able to shut down their business? Can cybercriminals leverage a policy like this to disable consumers across the country – giving a rather different meaning to the term ‘denial of service’ attack? What would a consumer’s experience be like if they constantly have to repair their computer to get online?

Advising consumers that their computer is infected, and providing tools for them to clean up the mess is one thing. Following the Australian plan is far more complicated.

And, at the end of the day this still leaves us playing catch up and clean up, rather than figuring out the far more pressing issue – how to thwart criminals from infecting machines in the first place.



Malware-Riddled Flash drive Created “Worst” U.S. Military Breach

September 3, 2010

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the “most significant breach of” the nation’s military computers ever, says William J. Lynn III, deputy secretary of defense in a newly released essay titled “Defending a New Domain: The Pentagon’s Cyberstrategy,” for the September/October issue of Foreign Affairs magazine. (you must register to read full article)

The article says the flash drive is believed to have been inserted by a “foreign intelligence agency” and the malware infiltrated the U.S. Central Command network and spread undetected on classified and unclassified systems creating a “digital beachhead, from which data could be transferred to servers under foreign control”. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” writes Lynn.

This incident is reportedly the most significant breach of U.S. military computers to date, and served as a wake-up call. In response, the Pentagon launched Operation Buckshot Yankee marking a turning point in U.S. cyberdefense strategy.

In the article, Lynn estimates that over 100 foreign intelligence agencies are working to hack into U.S. networks and that some countries already have the ability to disrupt our communications, saying “Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks that control critical civilian infrastructure. Computer-induced failures of U.S. power grids, transportation networks, or financial systems could cause massive physical damage and economic disruption.”

The scope of intrusions by hostile organizations and countries is staggering. Over the last ten years, the sophistication and frequency and of probes into U.S. military networks have increased exponentially. Every day, U.S. military and civilian networks are scanned millions of times a day, and Lynn says and files including weapons blueprints, operations plans, and surveillance data, have been stolen.

Lynn highlights the threat of counterfeit computer hardware which has been found in systems purchased by the Department of Defense, and of hardware and software that has been tampered with en route to the U.S..

“The risk of compromise in the manufacturing process is very real and is perhaps the least understood cyber threat. Tampering is almost impossible to detect and even harder to eradicate. Rogue code, including so-called logic bombs, which cause sudden malfunctions, can be inserted into software as it is being developed. As for hardware, remotely operated ‘kill switches’ and hidden ‘backdoors’ can be written into the computer chips used by the military, allowing outside actors to manipulate the systems from afar,” says Lynn.

“Cyberattacks offer a means for potential adversaries to overcome overwhelming U.S. advantages in conventional military power and to do so in ways that are instantaneous. and exceedingly hard to trace. Such attacks may not cause the mass casualties of a nuclear strike, but they could paralyze U.S. society all the same,” he wrote. “In the long run, hackers’ systematic penetration of U.S. universities and businesses could rob the United States of its intellectual property and competitive edge in the global economy.”

What this means to you, and your role in protecting the country’s infrastructure

Every computer connected to the internet has the potential to impact the safety of the broader ‘net. In spite of the serious threats, the answer isn’t to unplug your computer and head for the hills. Instead, it is essential that you make sure your computers and internet connections are secure with proactive protection software that automatically updates; that you use strong, unique passwords and you keep them private; and you learn to avoid socially engineered exploits. It also means that every family member and/or anyone else who uses your computer(s) follow the same security rigor.

  1. Secure your computer. If your computer isn’t protected from Trojans, viruses, bots, and other malware your financial information and passwords and identity will be stolen harming you, and potentially spreading the malware to others. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use one of the excellent free services.
  2. Secure your Internet connection – make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here.
  3. Use strong passwords. A weak password is all it takes for someone to steal it. If you use the same password on multiple sites (or everywhere) you are asking for real trouble. Safe passwords don’t have to be hard to create; just hard to guess
  4. When searching, Do NOT assume sponsored sites are safe. Because I use McAfee Site Advisor (it’s free), I see a warning notifying me of the risk. Without a tool like this, you have no way of judging if the site is legitimate or going to give you malware, spam, etc… There are other companies offer similar services; pick one and use it!
  5. Trust is Key. Know the Site. Know the User. Know the Company. Misplaced trust will land you in a world of trouble
    1. You can no longer assume that links within trusted sites are safe. IBM’s research highlights the increase in malicious content placed on trusted sites.
    2. Be cautious and stay in the driver’s seat. Instead of clicking on a link, copy the URL into a search engine query and look at the results. Does the site have a positive safety rating? Don’t be pulled by links that may or may not take you where you want to go. This is particularly true with ‘shortened’ or ‘mini’ links used on sites like Twitter. If you do not have 100% confidence that the link is going to take you to a legitimate site, look up the material yourself. Learn how to Mitigate Risks When Using Shortened URL’s.


Additional Resources

Mitigate Risks When Using Shortened URL’s

February 11, 2010

Lengthy URLs are hard to share with others, difficult (if not impossible) to remember, are more likely to break in emails, and can simply be too long to fit into short messaging sites like Twitter – which limits posts to 140 characters. To solve all these issues, several great free programs are available to shorten URL’s.

Of course, criminals are not stupid. Internet tools that are helpful for good users can be even handier for crooks. Spammers, scammers, ID thieves, etc. use URL shortening tools in hopes of increasing your likelihood of landing on their malicious sites.

For example, if you received an email, or saw a posting saying “hey, check out these cool cartoons” and saw the URL you were directed to click on was http://let-me-give-you-a-nasty-virus, you wouldn’t click on it. However, if the URL was shortened to look like http://bit.ly.12xtdf, you might not take the same care – even though it takes you to the exact same malicious site.

To reap the benefits of shortened URL’s without falling victim to criminals, stick to the advice that you only click on links from trusted sources, or on trusted sites – or find the site yourself. The trick is how to find out what site is hidden behind that shortened URL begin testing it for safety….

Below are the instructions for creating a shortened URL, AND for discovering the safety of a shortened URL:

Creating a shortened URL:

  1. Begin by selecting a URL shortening service like TinyURL, Doiop, MemURL.com, ReadthisURL, dwarfURL.com, or bit.ly
  2. Enter the full length URL into the specified field
  3. Create a short name (optional in some, not available in other products)
  4. Then, press the button to generate the new, shorter version

My personal favorite URL shortener is TinyURL.com because it offers two great features. (Note: my views are my own, I do not accept remuneration to promote any service) The first great feature is the ability to customize your shortened URL, which is a whole lot more intelligible than the automatically generated random number and letter sequences the service creates on its own.

The second great feature is their preview option. Though it adds 8 additional characters, using the preview feature allows recipients to see the original URL of the site they will be taken to if they proceed. See the example here:

Discovering the safety of a Shortened URL:

If the shortened URL was created using TinyURL, and the creator used the preview feature, click on the preview link. It will take you to a landing page that shows the full URL address (see image). You can compare this to the original URL in the previous image and see they are a match.

To discover where other shortened links are going to take you requires using an “UNshortening tool”, several of which are also free.

If you frequently consider clicking on shortened links, installing a free tool like UnShortenEmAll, TinyURL Decoder Expand url shortening service urls make a lot of sense, these will either automatically display the URLs in their original form, or show you the real URL if you hover over them. All of these require that you download a Greasemonkey plugin to your Firefox browser to run, but they’re easy to install and use.

If you only occasionally consider clicking on shortened links, the website Unshorten.com may be just right for you. To use it, simply enter in the shortened URL, and it will return the real location as shown in the image below:

Keep in mind that simply discovering the full URL, does not mean the site is legitimate – it just means you’re ready to use standard methods for determining the safety of a site

Steer don’t be pulled. Once you have found the proper URL, use a search engine – combined with a malware filter like McAfee’s Site Advisor (it’s free) to be sure the site is legitimate before clicking the link.

In the example above, you see that full URL behind the link blogof.francescomugnai.com. To check the safety of this website, I copied and pasted this text into the SEARCH box (not address field) of your search engine and looked to see two things. 1) The site exists, and 2) the site has been tested by McAfee Site Advisor’s malware filters and found to be safe (the little green check mark next to each result is how McAfee’s tool shows the safety or risk level of tested sites.)

Keep your computer protected at all times using anti-virus, anti-spam, and anti-phishing tools and follow these simple safety steps when navigating to websites to have a safer, more enjoyable online experience.


$100 Billion-A-Year Medical Care Fraud

January 17, 2010

Healthcare fraud is big business. Last year scammers and organized crime groups bilked an estimated $100 billion last year according to a new article Health care: A ‘goldmine’ for fraudsters from CNNMoney.com.

Medical Identity theft is the most lucrative aspect of the medical fraud business, and the most common method of gaining access to personal medical records is when someone with legitimate access to the data sells the information to criminals. But that’s changing.

According to the CNN article “Increasingly, criminal groups are hacking into digital medical records so that they can steal money from the $450 billion, 44-million-beneficiary Medicare system — making the government, by far, the “single biggest victim” of health care fraud, according to Rob Montemorra, chief of the FBI’s Health Care Fraud Unit.”

To learn more about the risks you face when your medical records go online, see my blogs:

While the government is the “single biggest victim”, every individual whose records are stolen will feel the pain.

The most common way scammers and criminals make their money is by sending in false bills to insurance companies and Medicare for medicines, equipment, in-home health care, or treatments that were not prescribed or requested.  Criminals also ‘resell’ an individual’s medical records to an uninsured person in need of medical care.

While the aim of the criminals behind medical ID theft and fraud is to steal money, the tampering with your medical information can place you at serious risk if doctors base medical decisions about your care on the falsified information in your file.

The government isn’t the only one footing the bill. In addition to the indirect costs to the government and insurance companies that every consumer pays for medical fraud, the average cost to an individual victim of medical ID theft was close to $1,200 according to Javelin Strategy & Research, a research firm specializing in trends in security and fraud initiatives. Javelin’s research also found that in 2008 the average incident of health care identity fraud netted the criminal $19,000, which is four times the earnings of overall ID theft.

In addition to the risk to your medical records, these thieves also gain access to the information that accompanies your records – including your name, address, phone number, social security number, insurance company, and more – placing you at high risk for traditional ID theft as well.

Stay vigilant

Always check your insurance benefits statements to see if there are charges or claims that are not yours. Notify your insurance company if your financial ID has been stolen, and notify your financial institutions if your medical ID has been stolen.


Symantec’s Cybercrime Intelligence Report Aug 2009

August 31, 2009

The news on the cybercrime front remains grim. According to Symantec’s MessagLabs report for Aug 2009, cybercriminals continue to expand their reach and hone their tactics; botnets are so sophisticated, they can be back up and running 48 hours after a crippling distribution blow; criminals now optimize for efficiency – and favor repurposing malware rather than developing new tactics. Scammers continue targeting ‘hot topics’ for their campaigns – and have the botnet capacity to distribute billions of spam a day.

If that didn’t leave you unsettled, here’s a closer look at Symantec’s MessageLabs findings for August:

  • Cutwail, one of the largest botnets globally, is responsible for approximately 15 to 20 percent of all spam today.
    • Following the shutdown of an ISP in Latvia, Cutwail’s volumes fell by as much as 90 percent, and global spam volumes fell by as much as 38 percent in the subsequent 48-hour period.
    • In a matter of days Cutwail was back to its former self, demonstrating just how powerful the botnet really is in recovering and reinventing itself.
  • Despite the brief downturn in spam levels, the figures for August remain fairly steady at 88.5%, due to the activity levels of other major botnets
  • Another prolific botnet called Donbot distributed ten billion emails in just one day using shortened URLs in its spam runs. Note: Shortened URL services are invaluable on services like Twitter where only 140 characters are available – many URL’s are longer than that. However, they mask the real website being pointed to and are therefore very appealing to internet criminals.
    • Leveraging the heightened interest in health related issues, Donbot email subjects include ‘Health care – get meds now’, ‘Save 89% on Meds’, ‘Purchase Meds Online’.
  • The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools.
  • Cybercriminals are three times as likely to favor repurposing malware across numerous domains rather than developing new tactics.
    • In August, of 3,510 websites being blocked daily, 36.1 percent of domains were new. Similar analysis of malware being blocked each day highlights that only 11.9 percent was newly developed malware.

We can read this sobering report and throw up our hands, or we look for additional countermeasures to help in thwarting these exploits.

I was particularly struck by the high level of repurposing of malware. It makes of course the best business sense from a criminal’s point of view, but perhaps it opens another avenue for countermeasures.

As an industry, companies need to work more closely together to block cybercriminals ability to repurpose exploits across various services and technologies. Far too often when an exploit first arises – let’s say in email – we see email providers scramble to create solutions; then the exploit pops up in IM; and then in one or more social networking sites; and so on.

We need to figure out how to work better across companies and services segments to stop the repurposing in its tracks and reduce the opportunity for financial gains by the criminals behind these exploits.

Click to read the full report.


Cybersecurity Draft Strengthened

August 28, 2009

Stronger focus on creating a trained workforce to thwart high-tech threats, increased frequency of national cyber-reviews, and the development of a workforce plan to address skill deficiencies and an analysis of barriers to recruitment of cybersecurity professionals are among the changes introduced over the August recess to the cybersecurity legislation by Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine.

Though the revisions have not yet been approved, they incorporate excellent feedback to this important legislation. As a nation, we simply do not have enough qualified cybersecurity experts within law enforcement, government bodies, and companies to effectively combat the mounting threats against our infrastructure, and this legislation is an excellent step towards changing this shortfall.

Also encouraging, is that even in these difficult economic times the original bill’s provision of a National Science Foundation scholarship program is preserved, and that significant funding is set aside for the National Institute of Standards and Technology to conduct competitions to woo students into cybersecurity careers.

Another alteration to the bill is the curtailment of what was a highly contentious provision, which had the potential to give the White House the authority to effectively turn off the Internet during a cyber crisis. The redrafted proposal directs the president to work with the industry during cyber emergencies on a national response as well as the timely restoration of affected networks.

The significant and escalating threats to our economy, infrastructure, and safety demand a strong response, and shift in course that this legislation, if appropriately crafted, will begin to address.


McAfee, Inc. Names Jessica Biel the Most Dangerous Celebrity in Cyberspace

August 25, 2009

Mix celebrity status and media presence and you create a magnet for cyber-scammers. McAfee has just released its third annual “Most Dangerous Celebrity in Cyberspace report and it highlights that though the actors of the moment change, the tactics cybercriminals use remain the same.

Jessica Biel now has the dubious distinction of being the most dangerous celebrity to search in cyberspace. Whether fans search for “Jessica Biel” or “Jessica Biel downloads,” “Jessica Biel wallpaper,” “Jessica Biel screen savers,” “Jessica Biel photos” or “Jessica Biel videos”, they have a 20% chance of landing at a Web site containing spyware, adware, spam, phishing, viruses or other malware.

Somewhat surprisingly, McAfee’s results showed that  the U.S. President and First Lady are not among the most risky public figures to search ranking 34th and 39th, respectively.

McAfee’s top riskiest celebrity searches include:

  1. Jessica Biel – Almost half of “Jessica Biel screensavers” search results contain malicious downloads with spyware, adware and potential viruses.
  2. Beyoncé – Inputting “Beyoncé ringtones” into a search engine yielded a dangerous Web site linking to a distributor of adware and spyware.
  3. Jennifer Aniston – More than 40% of the Google search results for “Jennifer Aniston screensavers” contained nasty viruses, including one called the “FunLove virus.”
  4. Tom Brady – The New England Patriot seems to attract many fans who want a free download of the athlete in action, but not the Trojan that comes with it.
  5. Jessica Simpson – Searching for “Jessica Simpson videos” can mislead unsuspecting surfers to sites with potentially damaging downloads.
  6. Gisele Bundchen – A search for “Gisele Bundchen photos” can direct users to sites that breached browser security in McAfee’s tests.
  7. Miley Cyrus – Web sites related to Miley Cyrus’ image link to harmful sites containing spyware.
  8. Megan Fox, Angelina Jolie – tied for the number of search results containing risky downloads, proving cybercriminals are in the business of capitalizing on the world’s most famous faces.
  9. Ashley Tisdale – The “High School Musical” star is a popular search term when it comes to searching for screensavers. A host of screensaver Web sites contained numerous malware-laden downloads.
  10. Brad Pitt – Brad Pitt fell towards the bottom of this year’s list, resulting in a few less, but just as dangerous, Web sites.
  11. Reese Witherspoon – Searching for “Reese Witherspoon” and “Reese Witherspoon photos” returns results promoting free files with hidden malware.
  12. Britney Spears – McAfee SiteAdvisor technology found a single site promoting free Britney Spears wallpaper that was embedded with more than 50 potentially infected downloads.

Don’t play roulette on a search engine

Searching the web without using tools that identify malicious websites is asking for trouble – you simply will not be able to tell which are legitimate. Cybercriminals aren’t stupid, they want to target the broadest number of users and therefore closely watch for the most popular search terms.

In addition to having up-to-date security software in place, you need to use a product that visibly identifies for you the potential for malicious code on search results. I’ll mention McAfee’s Site Advisor solution (it’s FREE folks) first as they generated this report, and it’s the one I use on all my machines. Additionally, both Firefox and Internet Explorer have features you can use to alert you to malicious sites, and several other companies offer similar services.