Online Virus / Malware News

 
In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.
 
How much of this is real, justified and proportionate?
 
So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.
 
Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.
 
Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.
 
The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc
 
“Changing the world”? I say not.
 
The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.
 
The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.
 
The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!
 
This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.
 
This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.
 
There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.
 
Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.
 
What can companies and individuals do to try to avoid falling victim to these kinds of attack?

• Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

 

• That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

 

• When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

 

• Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

 

• Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

 

• Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

 

• At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

 

• Don’t let Chicken Little run your security.

On the 1st of January this year German employers became subject to a new legal requirement, one that has their own Data Protection Authorities, Trade Unions and Civil Rights groups appalled.

 

From the beginning of 2010 every German employer must now submit detailed information on a monthly basis to the so-called ELENA database, ELENA is an acronym for Eleketronischer Entgeltnachweis which loosely translates to Electronic Payslip. This sounds innocent enough until you consider exactly what information employers are obliged to provide.

The information will cover every worker’s salary, all absenteeism and their participation in strike action whether legal or illegal. This data is to be submitted to a central hub and from 2012 it will be used to determine whether to pay out or refuse social benefits. Plans are in place to relieve employers of the necessity of printing paper-based pay statements for their employees and instead issuing each worker with a plastic “jobcard” again by 2012. This card would then need to be produced should the holder ever need to apply for benefits allowing for data retrieval to determine eligibility.

Peter Schaar, the German Information Commissioner is reported as saying

“I’ve got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed.”

 

My own (German) wife’s reaction to this news was more succinct “I thought these people had agreed that the Stasi was a bad thing?”. The German blogs I could find seemed to be equally opposed to the idea.

For now though, the legislation has entered into force and the reporting has begun. We can only hope that appropriate measures have been taken to store the data in a secure location, using appropriate encryption, that the data entry and retrieval mechanisms are protected with strong encryption and multi-factor authentication and that the appropriate organisational policies and procedures have been put in place to protect this highly sensitive data.

It is an absolute certainty that a centralised data repository of this size and significance will attract the hacking and cracking attentions of criminals, script-kiddies and “hobbyists” alike.

UPDATE: At the suggestion of Dan Raywood from SC Magazine I am now offering up a prize to the first person to mail me all the fish I have (kind of) hidden in the blog entry. You can win my splendid USB fridge to keep your prize catch cool.

UPDATE 2: This competition has now closed and the prize been claimed. The lucky recipient of a Trend Micro USB fridge is The Harmony Guy, congratulations and may you have many happy hours together, and many thanks to all who played.

________________________________________________________________________________________

Good Cod! Sometimes it feels as though I am endlessly carping on about web site security and the value of personal information and while I realise that this is no plaice for levity, this most recent hake is noteworthy enough to cover. Most recent victims of the cybercriminal in their pursuit of gold, fishkeepers are not immune.

 

The web site Practical Fishkeeping has been compromised and the details of their forum users have been put at risk. Practical Fishkeeping is no sprat, boasting almost 24,000 registered users. The site is currently offline as the damage is repaired.

 

 

Practical Fishkeeping have not left their members floundering, an email from Matt Clarke, Editor-in-Chief of the Practical Fishkeeping magazine was sent to all forum members on Friday evening. It is not immediately clear how the hack came to light, but the mail noted

“We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken.“

The mail goes on to say “If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords.”

 

It may be easy from my perch to criticise. but if passwords truly were visible to attackers, then the web site was not applying even the most bassic secure design principles such as storing passwords in an encrypted format (along with other personally identifiable information). This would ensure they are not made available to any john dory.

 

In all seriousness, this attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing.

 

There are several ways that your details can be exposed when they are stored by third parties; misconfiguration, poor coding or unpatched systems for example. This will only increase in importance as cloud services are more widely adopted. Remember, when you are registering for a community such as an online forum, you are under no obligation to give either complete or accurate personal information.

 

Only give whatever information is essential for the use of the service you are registering.

 

If the service requires more details than you are willing to share, you don’t necessarily have to be truthful, there’s always room for a red herring.

 

Consider using disposable email addresses for online services, that way if there is a compromise you can simply delete the address.

 

If you are concerned that you may have been affected by this attack and have not yet received a notification from Practical Fishkeeping, you could try contacting the publishing house Bauer Media in the first instance.

 

You may have noted I am not one to let the chance for a good pun goby, and if any of these have been crappie, I offer my sincere apologies.