Reuters: Beyond the Breach

My piece on disruption in the cybersecurity space. Too many companies and ideas to mention in Reuter-space, but it’s a start.  Thanks to Ian Geohegan, as ever, for his editing touch.  

Beyond the breach: cyberattacks force a defense strategy re-think | Reuters

(Reuters) – A barrage of damaging cyberattacks is shaking up the security industry, with some businesses and organizations no longer assuming they can keep hackers at bay, and instead turning to waging a guerrilla war from within their networks.

U.S. insurer Anthem Inc last week said hackers may have made off with some 80 million personal health records. Also, Amy Pascal said she would step down as co-chairman of Sony Pictures Entertainment, two months after hackers raided the company’s computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, offer a chance for younger, nimbler companies trying to sell customers new techniques to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone.

“Suddenly, the music has completely changed,” said Udi Mokady, founder of U.S.-based CyberArk. “It’s not just Sony, it’s a culmination of things that has turned our industry around.”

Worldwide spending on IT security was about $70 billion last year, estimates Gartner. ABI Research reckons cybersecurity spending on critical infrastructure alone, such as banks, energy and defense, will reach $109 billion by 2020.

Several things are transforming the landscape. Corporations have been forced to allow employees to use their own mobile phones and tablets for work, and let them access web-based services like Facebook and Gmail from office computers. All this offers attackers extra opportunities to gain access to their networks.

And the attackers and their methods have changed.

Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, says Bryan Sartin, who leads a team of researchers and investigators at Verizon Enterprise Solutions, part of Verizon Communications. “They want to hurt the victim, and they have hundreds of ways of doing it,” he said in a phone interview.

CLOSING THE DOOR

The result: companies can no longer count on defending themselves with decades-old tools like firewalls to block traffic and antivirus software to catch malware, and then assume all traffic that does make it within the network is legitimate.

Research by IT security company FireEye last month, for example, found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

“Once an attacker has made it past those defenses they’re in the gooey center, and getting around is relatively simple,” said Ryan Wager, director of product management at vArmour.

Attackers can lurk inside a network for half a year before being detected. “That’s like having a bad guy inside your house for six months before you know about it,” says Aamir Lakhani, security strategist at Fortinet Inc, a network security company.

Security start-ups have developed different approaches based on the assumption that hackers are already, or soon will be, inside the network.

Canada-based Camouflage, for example, replaces confidential data in files that don’t need it, like training databases, with fictitious but usable data. This makes attackers think they have stolen something worthwhile. U.S.-based TrapX Security creates traps of ‘fake computers’ loaded with fake data to redirect and neutralize attacks.

California-based vArmour tries to secure data centers by monitoring and protecting individual parts of the network. In the Target Corp breach during the 2013 holiday shopping season, for example, attackers were able to penetrate 97 different parts of the company’s network by moving sideways through the organization, according to vArmour’s Wager.

“You need to make sure that when you close the door, the criminal is actually on the other side of the door,” he said.

‘THREAT INTELLIGENCE’

Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners. Both companies focus on so-called ‘threat intelligence’ – trying to understand what attackers are doing, or plan to do.

Clients are starting to listen.

Veradocs‘ CEO and co-founder Ajay Arora says that while his product is not officially live, his firm is already working with companies ranging from hedge funds to media entertainment groups to encrypt key documents and data.

UK-based Darktrace, which uses math and machine learning to spot abnormalities in a network that might be an attack, has a customer base that includes Virgin Trains, Norwegian shipping insurer DNK and several telecoms companies.

But it’s slow going. Despite being open for business since 2013, it’s only been in the past six months that interest has really picked up, says Darktrace’s director of technology Dave Palmer. 

“The idea that indiscriminate hacking would target all organizations is only starting to get into the consciousness.”

All at sea: global shipping fleet exposed to hacking threat

[Original link: this one includes links to the source material where available]

(Reuters) – The next hacker playground: the open seas – and the oil tankers and container vessels that ship 90 percent of the goods moved around the planet.

In this internet age, as more devices are hooked up online, so they become more vulnerable to attack. As industries like maritime and energy connect ships, containers and rigs to computer networks, they expose weaknesses that hackers can exploit.

Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so it looks like they’re somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.

While data on the extent of the maritime industry’s exposure to cyber crime is hard to come by, a study of the related energy sector by insurance brokers Willis this month found [PDF] that the industry “may be sitting on an uninsured time bomb”.

Globally, it estimated that cyber attacks against oil and gas infrastructure will cost energy companies close to $1.9 billion by 2018. The British government reckons cyber attacks already cost UK oil and gas companies around 400 million pounds ($672 million) a year.

In the maritime industry, the number of known cases is low as attacks often remain invisible to the company, or businesses don’t want to report them for fear of alarming investors, regulators or insurers, security experts say.

There are few reports that hackers have compromised maritime cyber security. But researchers say they have discovered significant holes in the three key technologies sailors use to navigate: GPS, marine Automatic Identification System (AIS), and a system for viewing digital nautical charts called Electronic Chart Display and Information System (ECDIS).

“Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules,” a NATO-accredited think-tank wrote in a recent report. “These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities.”

TIP OF THE ICEBERG

As crews get smaller and ships get bigger, they increasingly rely on automation and remote monitoring, meaning key components, including navigational systems, can be hacked.

A recent study by security company Rapid7 found more than 100,000 devices – from traffic signal equipment to oil and gas monitors – were connected to the internet using serial ports with poor security. “The lines get blurry, and all industries and all technologies need to focus more on security,” said Mark Schloesser, one of the authors of the study.

Mark Gazit, CEO of ThetaRay, an internet security company, said an attacker managed to tilt a floating oil rig to one side off the coast of Africa, forcing it to shut down. It took a week to identify the cause and fix, he said, mainly because there were no cyber security professionals aboard. He declined to say more.

Lars Jensen, founder of CyberKeel, a maritime cyber security firm, said ships often switch off their AIS systems when passing through waters where Somali pirates are known to operate, or fake the data to make it seem they’re somewhere else.

Shipping companies contacted by Reuters generally played down the potential threat from hackers. “Our only concern at this stage is the possible access to this information by pirates, and we have established appropriate countermeasures to handle this threat,” said Ong Choo Kiat, president of U-Ming Marine Transport, Taiwan’s second-largest listed shipping firm by market value. The company owns and operates 53 dry cargo ships and oil tankers.

VIRUS-RIDDLED

A study last year by the Brookings Institution of six U.S. ports found that only one had conducted an assessment of how vulnerable it was to a cyber attack, and none had developed any plan to response to any such attack. Of some $2.6 billion allocated to a federal program to beef up port security, less than 1 percent had been awarded for cyber security projects.

When CyberKeel probed the online defences of the world’s 20 largest container carriers this year it found 16 had serious security gaps. “When you look at the maritime industry there’s extremely limited evidence of systems having been breached” compared to other sectors, said CyberKeel’s Jensen. “That suggests to us that they’ve not yet been found out.”

Michael Van Gemert, a security consultant to the oil and gas industry, said that on visits to rigs and ships he has found computers and control systems riddled with viruses. In one case, he said it took 19 days to rid a drilling rig en route from South Korea to Brazil of malware which had brought the vessel’s systems to a standstill.

“The industry is massively in need of help, they have no idea what the risks are,” he said.

The main ship navigation systems – GPS, AIS and ECDIS – are standards supported by bodies such as the International Maritime Organisation (IMO). Indeed, that body has made AIS and ECDIS mandatory on larger commercial and passenger vessels.

Researchers from the University of Texas demonstrated last July that it was possible to change a ship’s direction by faking a GPS signal to dupe its onboard navigation system.

Marco Balduzzi and colleagues at anti-virus vendor Trend Micro last month showed that an attacker with a $100 VHF radio could exploit weaknesses in AIS – which transmits data such as a vessel’s identity, type, position, heading and speed to shore stations and other ships – and tamper with the data, impersonate a port authority’s communications with a ship or effectively shut down communications between ships and with ports.

In January, a British cyber security research firm, NCC Group, found flaws in one vendor’s ECDIS software that would allow an attacker to access and modify files, including charts. “If exploited in a real scenario,” the company concluded, “these vulnerabilities could cause serious environmental and financial damage, and even loss of life.”

When the USS Guardian ran aground off the Philippines last year, the U.S. Navy in part blamed incorrect digital charts. A NATO-accredited think-tank said the case illustrated “the dangers of exclusive reliance upon electronic systems, particularly if they are found vulnerable to cyber attack.”

“Most of these technologies were developed when bandwidth was very expensive or the internet didn’t exist,” said Vincent Berk, CEO of security company FlowTraq.

NO QUICK FIX

Fixing this will take time, and a change in attitude.

“Security and attack scenarios against these technologies and protocols have been ignored for quite some time in the maritime industry,” said Rapid7’s Schloesser.

Researchers like Fotios Katsilieris have offered ways to measure whether AIS data is being faked, though he declined to be interviewed, saying it remained a sensitive area. One Google researcher who has proposed changes to the AIS protocol wrote on his blog that he had been discouraged by the U.S. Coastguard from talking publicly about its vulnerabilities.

Indeed, AIS is abused within the industry itself.

Windward, an Israeli firm that collects and analyses AIS data, found 100 ships transmitting incorrect locations via AIS in one day – often for security or financial reasons, such as fishing boats operating outside assigned waters, or smuggling.

In a U.N. report issued earlier this year [PDF] on alleged efforts by North Korea to procure nuclear weapons, investigators wrote that one ship carrying concealed cargo turned off its AIS signals to disguise and conceal its trip to Cuba.

It’s not clear how seriously the standards bodies treat the threat. Trend Micro’s Balduzzi said he and his colleagues were working with standards organisations, which he said would meet next year to discuss his research into AIS vulnerabilities.

The core standard is maintained by the International Telecommunications Union (ITU) in association with the IMO. In a statement, the IMO said no such report of vulnerabilities had been brought to its attention. The ITU said no official body had contacted it about the vulnerabilities of AIS. It said it was studying the possibility of reallocating spectrum to reduce saturation of AIS applications.

Yevgen Dyryavyy, author of the NCC report on ECDIS, was sceptical that such bodies would solve the problems soon.

First, he said, they have to understand the IT security of shipboard networks, onboard linked equipment and software, and then push out new guidelines and certification.

Until then, he said, “nothing will be done about it.”

($1 = 0.5949 British Pounds) (Additional reporting by Keith Wallis; Editing by Ian Geoghegan)

We’re Not in the Business of Understanding our User

Za-tray2

A few years ago I wrote about sometimes your product is useful to people in ways you didn’t know—and that you’d be smart to recognise that and capitalize on itn (What Your Product Does You Might Not Know About, 2007).

One of the examples I cited was ZoneAlarm, a very popular firewall that was bought by Check Point. The point I made with their product was how useful the Windows system tray icon was in that it doubled as a network activity monitor. The logo, in short, would switch to a twin gauge when there was traffic. Really useful: it wasn’t directly related to the actual function of the firewall, but for most people that’s academic. If the firewall’s up and running and traffic is showing through it, everything must be good.

The dual-purpose icon was a confidence-boosting measure, a symbol that the purpose of the product—to keep the network safe—was actually being fulfilled.

Not any more. A message on the ZoneAlarm User Community forum indicates that as of March this year the icon will not double as a network monitor. In response to questions from users a moderator wrote:

Its not going to be fixed in fact its going to be removed from up comming [sic] ZA version 10
So this will be a non issue going forward.
ZoneAlarm is not in the buiness [sic] of showing internet activity.
Forum Moderator

So there you have it. A spellchecker-challenged moderator tells it as it is. Zone Alarm is now just another firewall, with nothing to differentiate it and nothing to offer the user who’s not sure whether everything is good in Internet-land. Somebody who didn’t understand the product and the user saved a few bucks by cutting the one feature that made a difference to the user.

Check Point hasn’t covered itself in glory, it has to be said. I reckon one can directly connect the fall in interest in their product with the purchase by Check Point of Zone Labs in December 2003 (for $200 million). Here’s what a graph of search volume looks like for zonealarm since the time of the purchase. Impressive, eh?

image

Of course, this also has something to do with the introduction of Windows’ own firewall, which came out with XP SP2 in, er, 2004. So good timing for Zone Labs but not so great for Check Point.

Which is why they should have figured out that the one thing that separated Zone Alarm from other firewalls was the dual purpose icon. So yes, you are in the business of showing Internet activity. Or were.

(PS Another gripe: I tried the Pro version on trial and found that as soon as the trial was over, the firewall closed down. It didn’t revert to the free version; it just left my computer unprotected. “Your computer is unprotected,” it said. Thanks a bunch!)

Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

DigiNotar Breach Notes

Some folk have asked me for more details about the DigiNotar breach after my brief appearance on Al Jazeera this morning. So here are the notes I prepared for the segment. Links at the bottom.

Background

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

Why do we think this was about Iran?

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  ”I will sacrifice my life for my leader.” “unknown soldier”

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

But the fact that the certificates were stolen and then used seems to suggest some official connection.

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

News:

BBC News – Fake DigiNotar web certificate risk to Iranians

DigiNotar – Wikipedia, the free encyclopedia

Fake DigiNotar certificates targeting Iranians?

Expert reports/analysis:

DigiNotar Hacked by Black.Spook and Iranian Hackers – F-Secure Weblog : News from the Lab

Operation Black Tulip: Fox-IT’s report on the DigiNotar breach | Naked Security (Sophos)

Fox-IT report, operation Black Tulip (PDF)

VASCO:

Acquisition DigiNotar

VASCO DigiNotar Statement

Comodogate:

Comodo Group – Wikipedia, the free encyclopediaackground

web security certificates are digital IDs issued by companies entrusted with making sure they are given to the right company or organisation. It allows a user to set up a secure connection between their computer and the organisation’s website. Browsers will show a little lock or some other icon to signify the certificate has been found and is trusted.

 

Hackers broke into a Dutch company called DigiNotar, itself owned by US firm Vasco Data Security, in mid June. DigiNotar is one of hundreds of companies around the globe called certificate authorities that issue these authentication certificates. Browsers contain a list of which CAs they can trust.

 

These hackers would have been able to steal existing certificates or generate their own, meaning they could now, with the help of an Internet Service Provider, launch what are called Man in the Middle Attacks–meaning they could intercept traffic, a bit like tapping a telephone.

 

DigiNotar noticed that something was amiss in July, but didn’t realise the extent of the breach until late August, by which time more than 500 (531) fake certificates were issued. While some cover domains like the CIA and MI6, these are probably just distractions. The key ones are a dozen issued for domains like Google, Facebook and Skype.

 

Why do we think this was about Iran?

 

Studies of the validation requests–browsers pinging DigiNotar to confirm the certificate’s authenticity–showed that during August the bulk–maybe 99%–of the traffic was coming from Iran. When the certificates were eventually revoked, Iranian activity dropped.

 

Moreover the attackers left some quite obvious clues. They left calling cards: transcribed Farsi which translates into slogans such as  “I will sacrifice my life for my leader.” “unknown soldier”

 

Why might Iran be interested?

Well, we now know that a lot of countries like Syria intercept ordinary Internet traffic through something called Deep Packet Inspection. This means that the government is basically snooping on web traffic. But when that traffic passes through these secure connections, it’s much harder. So the holy grail of any internet surveillance is to get a hold  of those certificates, or work around them. This is a brazen attempt to do this.

 

All Internet traffic in Iran has to go through a government proxy, making this kind of attack much simpler. The government ISP just uses the certificate to pretend to be Google, or whatever, and then passes the traffic on.

 

Is it the government?

This is harder to confirm. The Dutch government is investigating this. A similar attack took place against an Italian CA in March, and it shows similar fingerprints.

 

What could they have discovered?

Quite a lot. All the traffic that was intercepted could be deciphered.. meaning all browsing and emails. But it also may have captured cookies, meaning passwords, which would have made it easy to hack into target accounts and sniff around old emails, dig out other passwords, or hack into associated accounts, such as Google Docs.

 

Moreover, some of the certificates compromise something called The Onion Router, a service which anonymizes web traffic. Though TOR itself wasn’t compromised the certificates could convince your browser you were talking to TOR, whereas in fact you’d be talking to the attacker.

 

Should other people be worried?

Yes, Some browser developers have been more forthcoming than others; Google Chrome and Firefox have been quick to respond. Others less so. If you’re in Iran or think you may be targetted, it’s a good idea to change your password, and to check that no one has altered your forwarding details in your email account. You should also upgrade your browser to the latest version, whatever browser you use.

 

DigiNotar made some horrible mistakes: one Windows domain for all certificate servers, no antivirus, a simple administrator password. There were defaced pages on the website dating back to 2009. One has to wonder what other certificate authorities are similarly compromised. We rely on these companies to know what they’re doing. They’re the top of the food chain, in the words of one analyst.

 

We should now be looking closely at the previous breaches and looking for others. This is a ratcheting up of the stakes in a cyberwar; this kind of thing has real world impact on those people who thought they were communicating safely and will now fear the knock on their door.

 

In the future this is likely to lead to a change in the way certificates are issued and checked. I don’t think DigiNotar is going to survive this, but I think a bigger issue is bound to be how this security issue is handled. I think governments which look to the Internet as a tool for democratic change need also to be aware of just how dangerous it is to encourage dissidents to communicate online, whether or not they’re being careful.

Real Phone Hacking

Interesting glimpse into the real world of phone hacking–not the amateurish stuff we’ve been absored by in the UK–by Sharmine Narwani: In Lebanon, The Plot Thickens « Mideast Shuffle.

First off, there’s the indictment just released by the Special Tribunal for Lebanon which, in the words of Narwani,

appears to be built on a simple premise: the “co-location” of cellular phones — traceable to the accused four — that coincide heavily with Hariri’s whereabouts and crucial parts of the murder plot in the six weeks prior to his death.

Indeed, the case relies heavily on Call Data Record (CDR) analysis. Which sounds kind of sophisticated. Or is it? Narwani contends that this could have been manufactured. Indeed, she says,

there isn’t a literate soul in Lebanon who does not know that the country’s telecommunications networks are highly infiltrated — whether by competing domestic political operatives or by foreign entities.

There is plenty of evidence to support this. The ITU recently issued two resolutions [PDF] basically calling on Israel to stop conducting “piracy, interference and disruption, and sedition”.

And Lebanon has arrested at least two men accused of helping Israel infiltrate the country’s cellular networks. What’s interesting about this from a data war point of view is that one of those arrested has confessed, according to Narwani, to lobbying for the cellular operator he worked for not to install more secure hardware, made by Huawei, which would have presumably made eavesdropping harder. (A Chinese company the good guy? Go figure.)

If this were the case–if Lebanon’s cellular networks were so deeply penetrated–then it’s evidence of the kind of cyberwar we’re not really equipped to understand, let alone deal with: namely data manipulation.

Narwani asks whether it could be possible that the tribunal has actually been hoodwinked by a clever setup: that all the cellular data was faked, when

a conspiring “entity” had to obtain the deepest access into Lebanese telecommunications networks at one or — more likely — several points along the data logging trail of a mobile phone call. They would have to be able to intercept data and alter or forge it, and then, importantly, remove all traces of the intervention.

After all, she says,

the fact is that Hezbollah is an early adherent to the concept of cyberwarfare. The resistance group have built their own nationwide fiber optics network to block enemy eavesdropping, and have demonstrated their own ability to intercept covert Israeli data communications. To imagine that they then used traceable mobile phones to execute the murder of the century is a real stretch.

Who knows? But Darwani asserts that

Nobody doubts Israel’s capacity to carry out this telecom sleight of hand — technology warfare is an entrenched part of the nation’s military strategies. This task would lie somewhere between the relatively facile telephone hacking of the News of the World reporters and the infinitely more complex Stuxnet attack on Iran’s nuclear facilities, in which Israel is a prime suspect.

In other words, there’s something going on here that is probably a lot more sophisticated than a tribunal can get behind. I’m no Mideast expert, but if only half of this is true it’s clear that cellphones are the weakest link in a communications chain. And that if this kind of thing is going on Lebanon, one has to assume that it’s going on in a lot of places.

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”